Hi,
I dont want httpd_t to read etc_runtime_t tpe, If I remove read operation from
below rules,will it work ?
sesearch -ACT -s httpd_t -t etc_runtime_t
allow httpd_t etc_runtime_t : file { ioctl read getattr lock open } ;
allow httpd_t etc_runtime_t : lnk_file { read getattr } ;
allow httpd_t file_type : filesystem getattr ;
I dont want httpd_t to read etc_runtime_t tpe, If I remove read operation from
below rules,will it work ?
sesearch -ACT -s httpd_t -t etc_runtime_t
allow httpd_t etc_runtime_t : file { ioctl read getattr lock open } ;
allow httpd_t etc_runtime_t : lnk_file { read getattr } ;
allow httpd_t file_type : filesystem getattr ;
On Wed, Sep 16, 2015 at 9:09 AM, Jason Zaman <jason@xxxxxxxxxxxxx> wrote:
That is not what neverallow statements do. If you want to remove theOn Wed, Sep 16, 2015 at 12:10:42AM +0530, Divya Vyas wrote:
> Hi,
> How do I write a policy rule to stop http server reading /etc/passwd
> file.
> neverallow ~can_read_shadow_passwords httpd_t:file read;
>
> Will this work?
ability for something to read a file, you have to remove the allow
rule. There is no deny rule. Neverallow means there will instead be a
compile error if you try and add that rule. There should already be a
neverallow for shadow and you need to grant an exception.
But more importantly, have you checked that your http server is actually
allowed to read shadow? Almost nothing can.
sesearch -ACT -s httpd_t -t shadow_t
this will tell you all the perms that httpd can do on shadow. If file
read is not one of them you do not have to do anything.
-- Jason
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
