Overview
By the end of this article you should be able to answer the following questions:
Announcement
You can find all my latest posts on medium.$ man booleans
$ getsebool -a
$ semanage boolean -l
$ setsebool -PV ftp_home_dir on
# this takes about 20 seconds
You can customise the default behaviour of your (targeted) policy. This is done by configuring various boolean settings that can enable/disable your policy’s various policy rules. Going back to our massive textbook analogy, this is a bit like graying-out (or ungraying) various segements of the book. Switching boolean values can be like increasing/decreasing the set of security attributes that a particular security attribute is allowed to have access to.
All seboolean changes takes effect straight away. Here’s a man page that covers more about SELinux booleans:
$ man booleans
You can view all your policy’s boolean setting using the getboolean
command:
$ getsebool -a abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off auditadm_exec_content --> on . . ...etc.
New boolean settings also gets added to this list when in install rpm packages, e.g. httpd. You can find a short description of each seboolean using semanage
:
$ semanage boolean -l SELinux boolean State Default Description ftp_home_dir (off , off) Determine whether ftpd can read and write files in user home directories. smartmon_3ware (off , off) Determine whether smartmon can support devices on 3ware controllers. mpd_enable_homedirs (off , off) Determine whether mpd can traverse user home directories. xdm_sysadm_login (off , off) Allow the graphical login program to login directly as sysadm_r:sysadm_t . . ...etc
Notice we have a current “state” column, as well as an on machine reboot “default” column.
Enabling and Disabling SELinux Booleans
To enable/disable SELinux Boolean settings, we need to use the setsebool
command:
$ whatis setsebool setsebool (8) - set SELinux boolean value
E.g. the “ftp_home_dir” is currently disabled, and to enable it we do:
$ getsebool ftp_home_dir ftp_home_dir --> off $ setsebool -P ftp_home_dir on $ getsebool ftp_home_dir ftp_home_dir --> on
Important: Always use the “-P” to make it persistent.
The above command for enabling/disabling a boolean setting takes about 20 seconds. That’s because the target policy itself is being modified and new binary of the policy is being compiled. The new binary is located in the folder /etc/selinux/targeted/policy