SELinux – Booleans


By the end of this article you should be able to answer the following questions:

What is the command to view the man info for SElinux booleans?

$ man booleans

What is the command to view all the current seboolan settings?

$ getsebool -a

What is the command to view a short description for each boolean setting?

$ semanage boolean -l

What is the command to persistantly+verbosely enable the 'ftp_home_dir' SELinux boolean setting?

$ setsebool -PV ftp_home_dir on
# this takes about 20 seconds

You can customise the default behaviour of your (targeted) policy. This is done by configuring various boolean settings that can enable/disable your policy’s various policy rules. Going back to our massive textbook analogy, this is a bit like graying-out (or ungraying) various segements of the book. Switching boolean values can be like increasing/decreasing the set of security attributes that a particular security attribute is allowed to have access to.

All seboolean changes takes effect straight away. Here’s a man page that covers more about SELinux booleans:

$ man booleans

You can view all your policy’s boolean setting using the getboolean command:

$ getsebool -a 
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on

New boolean settings also gets added to this list when in install rpm packages, e.g. httpd. You can find a short description of each seboolean using semanage:

$ semanage boolean -l
SELinux boolean        State  Default Description

ftp_home_dir           (off  ,  off)  Determine whether ftpd can read and write files in user home directories.
smartmon_3ware         (off  ,  off)  Determine whether smartmon can support devices on 3ware controllers.
mpd_enable_homedirs    (off  ,  off)  Determine whether mpd can traverse user home directories.
xdm_sysadm_login       (off  ,  off)  Allow the graphical login program to login directly as sysadm_r:sysadm_t

Notice we have a current “state” column, as well as an on machine reboot “default” column.

Enabling and Disabling SELinux Booleans

To enable/disable SELinux Boolean settings, we need to use the setsebool command:

$ whatis setsebool
setsebool (8)        - set SELinux boolean value

E.g. the “ftp_home_dir” is currently disabled, and to enable it we do:

$ getsebool ftp_home_dir
ftp_home_dir --> off
$ setsebool -P ftp_home_dir on
$ getsebool ftp_home_dir
ftp_home_dir --> on

Important: Always use the “-P” to make it persistent.

The above command for enabling/disabling a boolean setting takes about 20 seconds. That’s because the target policy itself is being modified and new binary of the policy is being compiled. The new binary is located in the folder /etc/selinux/targeted/policy