SELINUX: Use boolean settings to modify system SELinux settings.

Share this link

Note: This is an RHCSA 7 exam objective.

Presentation

SELinux uses booleans to makes its policy more flexible.

The basic policy is pretty strict but suits most requirements. But if you’ve got special needs, you can easily adjust it thanks to the SELinux booleans.

Standard Management

Get the list of SELinux booleans on a particular topic (here ftp):

# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off

To set a specific SELinux boolean according to your need (here ftp_home_dir), type:

# setsebool -P ftp_home_dir on
or
# yum install -y setroubleshoot-server
# semanage boolean -m --on ftp_home_dir

Note1: You can use on or 1, off or 0 with the setsebool command.
Note2: The -P option means Permanent. If you don’t use it, the boolean will restore its previous permanent or default configuration after the next reboot.
Note3: The semanage boolean command only assigns permanent configurations.

To get a more detailed list of SELinux booleans, type:

# yum install -y setroubleshoot-server
# semanage boolean -l
SELinux boolean                State  Default Description
ftp_home_dir                   (off  ,  off)  Allow ftp to read and write files in the user home directories
smartmon_3ware                 (off  ,  off)  Enable additional permissions needed to support devices on 3ware controllers.
xdm_sysadm_login               (off  ,  off)  Allow xdm logins as sysadm
xen_use_nfs                    (off  ,  off)  Allow xen to manage nfs files
mozilla_read_content           (off  ,  off)  Control mozilla content access
ssh_chroot_rw_homedirs         (off  ,  off)  Allow ssh with chroot env to read and write files in the user home directories
postgresql_can_rsync           (off  ,  off)  Allow postgresql to use ssh and rsync for point-in-time recovery
allow_console_login            (on   ,   on)  Allow direct login to the console device. Required for System 390
spamassassin_can_network       (off  ,  off)  Allow user spamassassin clients to use the network.
authlogin_shadow               (off  ,  off)  Allow users login programs to access /etc/shadow.
httpd_can_network_relay        (off  ,  off)  Allow httpd to act as a relay
openvpn_enable_homedirs        (on   ,   on)  Allow openvpn to read home directories
...

Important note: The State column respectively shows the current boolean configuration and the Default column the permanent boolean configuration.

To get the list of all the SELinux booleans with a current value different from the default one (-C option for local Customization), type:

# semanage boolean -l -C
SELinux boolean                State  Default Description

ftp_home_dir                   (on   ,   on)  Allow ftp to read and write files in the user home directories
httpd_can_sendmail             (on   ,   on)  Allow http daemon to send mail
allow_postfix_local_write_mail_spool (on   ,   on)  Allow postfix_local domain full write access to mail_spool directories
allow_ftpd_full_access         (on   ,   on)  Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.

To display the list of SELinux booleans related to NFS, type:

# semanage boolean -l | egrep "nfs|SELinux"
SELinux boolean                State  Default Description
xen_use_nfs                    (off  ,  off)  Allow xen to use nfs
virt_use_nfs                   (off  ,  off)  Allow virt to use nfs
mpd_use_nfs                    (off  ,  off)  Allow mpd to use nfs
nfsd_anon_write                (off  ,  off)  Allow nfsd to anon write
ksmtuned_use_nfs               (off  ,  off)  Allow ksmtuned to use nfs
git_system_use_nfs             (off  ,  off)  Allow git to system use nfs
virt_sandbox_use_nfs           (off  ,  off)  Allow virt to sandbox use nfs
logrotate_use_nfs              (off  ,  off)  Allow logrotate to use nfs
git_cgi_use_nfs                (off  ,  off)  Allow git to cgi use nfs
cobbler_use_nfs                (on   ,  off)  Allow cobbler to use nfs
httpd_use_nfs                  (off  ,  off)  Allow httpd to use nfs
sge_use_nfs                    (off  ,  off)  Allow sge to use nfs
ftpd_use_nfs                   (off  ,  off)  Allow ftpd to use nfs
sanlock_use_nfs                (off  ,  off)  Allow sanlock to use nfs
samba_share_nfs                (off  ,  off)  Allow samba to share nfs
openshift_use_nfs              (off  ,  off)  Allow openshift to use nfs
polipo_use_nfs                 (off  ,  off)  Allow polipo to use nfs
use_nfs_home_dirs              (off  ,  off)  Allow use to nfs home dirs
nfs_export_all_rw              (on   ,   on)  Allow nfs to export all rw
nfs_export_all_ro              (on   ,   on)  Allow nfs to export all ro

Additional Resources

You can also watch this video from Sander van Vugt about Understanding SELinux Booleans (10min/2014).

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

Be the First to Comment!

Notify of
wpDiscuz

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create a XFS file system of 100MB. Mount it under /mnt. Then, increase its size by 50MB.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a default secure MariaDB database called maria and back up the database with mysqldump.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments