• 1
(Deleted comment)

Re: Deny process httpd read passwd (/etc/passwd) file

That is actually a more difficult problem with the way we write policy now. Lots of apps are attempting to read /etc/passwd to translate the UID of apache or the UID of root. In Fedora 17 I have added a label to /etc/passwd which I am allowing most domains to read, only blocking domains like svirt and svirt_lxc, maybe denying read to apache via boolean?

One alternative way to handle this would be to use unshare and bind mounts to bind an locked down version of /usr/share/etc/passwd over /etc/passwd where the only accounts in /etc/passwd were system accounts and none of them were logginable. Then the apache process would be allowed to read /etc/passwd but would not be able to see user accounts.

Re: Deny process httpd read passwd (/etc/passwd) file

thanks for helping me.
" maybe denying read to apache via boolean? " Can i use boolean ?

  • 1
?

Log in