Note: This is an RHCSA 7 exam objective.
SELinux uses booleans to makes its policy more flexible.
The basic policy is pretty strict but suits most requirements. But if you’ve got special needs, you can easily adjust it thanks to the SELinux booleans.
Get the list of SELinux booleans on a particular topic (here ftp):
# getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> on allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off ftpd_use_fusefs --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs --> off tftp_use_nfs --> off
To set a specific SELinux boolean according to your need (here ftp_home_dir), type:
# setsebool -P ftp_home_dir on or # yum install -y setroubleshoot-server # semanage boolean -m --on ftp_home_dir
Note1: You can use on or 1, off or 0 with the setsebool command.
Note2: The -P option means Permanent. If you don’t use it, the boolean will restore its previous permanent or default configuration after the next reboot.
Note3: The semanage boolean command only assigns permanent configurations.
To get a more detailed list of SELinux booleans, type:
# yum install -y setroubleshoot-server # semanage boolean -l SELinux boolean State Default Description ftp_home_dir (off , off) Allow ftp to read and write files in the user home directories smartmon_3ware (off , off) Enable additional permissions needed to support devices on 3ware controllers. xdm_sysadm_login (off , off) Allow xdm logins as sysadm xen_use_nfs (off , off) Allow xen to manage nfs files mozilla_read_content (off , off) Control mozilla content access ssh_chroot_rw_homedirs (off , off) Allow ssh with chroot env to read and write files in the user home directories postgresql_can_rsync (off , off) Allow postgresql to use ssh and rsync for point-in-time recovery allow_console_login (on , on) Allow direct login to the console device. Required for System 390 spamassassin_can_network (off , off) Allow user spamassassin clients to use the network. authlogin_shadow (off , off) Allow users login programs to access /etc/shadow. httpd_can_network_relay (off , off) Allow httpd to act as a relay openvpn_enable_homedirs (on , on) Allow openvpn to read home directories ...
Important note: The State column respectively shows the current boolean configuration and the Default column the permanent boolean configuration.
To get the list of all the SELinux booleans with a current value different from the default one (-C option for local Customization), type:
# semanage boolean -l -C SELinux boolean State Default Description ftp_home_dir (on , on) Allow ftp to read and write files in the user home directories httpd_can_sendmail (on , on) Allow http daemon to send mail allow_postfix_local_write_mail_spool (on , on) Allow postfix_local domain full write access to mail_spool directories allow_ftpd_full_access (on , on) Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
To display the list of SELinux booleans related to NFS, type:
# semanage boolean -l | egrep "nfs|SELinux" SELinux boolean State Default Description xen_use_nfs (off , off) Allow xen to use nfs virt_use_nfs (off , off) Allow virt to use nfs mpd_use_nfs (off , off) Allow mpd to use nfs nfsd_anon_write (off , off) Allow nfsd to anon write ksmtuned_use_nfs (off , off) Allow ksmtuned to use nfs git_system_use_nfs (off , off) Allow git to system use nfs virt_sandbox_use_nfs (off , off) Allow virt to sandbox use nfs logrotate_use_nfs (off , off) Allow logrotate to use nfs git_cgi_use_nfs (off , off) Allow git to cgi use nfs cobbler_use_nfs (on , off) Allow cobbler to use nfs httpd_use_nfs (off , off) Allow httpd to use nfs sge_use_nfs (off , off) Allow sge to use nfs ftpd_use_nfs (off , off) Allow ftpd to use nfs sanlock_use_nfs (off , off) Allow sanlock to use nfs samba_share_nfs (off , off) Allow samba to share nfs openshift_use_nfs (off , off) Allow openshift to use nfs polipo_use_nfs (off , off) Allow polipo to use nfs use_nfs_home_dirs (off , off) Allow use to nfs home dirs nfs_export_all_rw (on , on) Allow nfs to export all rw nfs_export_all_ro (on , on) Allow nfs to export all ro
You can also watch this video from Sander van Vugt about Understanding SELinux Booleans (10min/2014).
It’s better if you can provide some examples.
It’s difficult to provide examples for all the SELinux booleans.
When running the semanage boolean -l command, in the description field you get a hint about the purpose of each boolean.