Re: Neverallow in http policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Sep 16, 2015 at 10:57:55AM +0530, Divya Vyas wrote:
>    Hi,
>    I dont want httpd_t to read etc_runtime_t tpe, If I remove read
>    operation from
>    below rules,will it work ?
>    sesearch -ACT -s httpd_t -t etc_runtime_t
>    allow httpd_t etc_runtime_t : file { ioctl read getattr lock open } ;
>    allow httpd_t etc_runtime_t : lnk_file { read getattr } ;
>    allow httpd_t file_type : filesystem getattr ;

Yes, that should work. I initially thought you wanted to remove access
to /etc/shadow since that is what the can_read_shadow_passwords
attribute is about but you said /etc/passwd above that.

Although make sure you test thoroughly, I suspect that apache needs to
be able to read /etc/passwd in order to drop privs down to the apache
user from root. Removing /etc/passwd access might not work at all.

-- Jason

>    On Wed, Sep 16, 2015 at 9:09 AM, Jason Zaman <[1]jason@xxxxxxxxxxxxx>
>    wrote:
> 
>    On Wed, Sep 16, 2015 at 12:10:42AM +0530, Divya Vyas wrote:
>    >Â  Â  Hi,
>    >Â  Â  How do I write a policy rule to stop http server reading
>    /etc/passwd
>    >Â  Â  file.
>    > neverallow ~can_read_shadow_passwords httpd_t:file read;
>    >
>    >Â  Â  Will this work?
> 
>      That is not what neverallow statements do. If you want to remove the
>      ability for something to read a file,  you have to remove the allow
>      rule. There is no deny rule. Neverallow means there will instead be
>      a
>      compile error if you try and add that rule. There should already be
>      a
>      neverallow for shadow and you need to grant an exception.
>      But more importantly, have you checked that your http server is
>      actually
>      allowed to read shadow? Almost nothing can.
>      sesearch -ACT -s httpd_t -t shadow_t
>      this will tell you all the perms that httpd can do on shadow. If
>      file
>      read is not one of them you do not have to do anything.
>      -- Jason
> 
> References
> 
>    1. mailto:jason@xxxxxxxxxxxxx
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux