RH199 - ch05s05

Activate and deactivate SELinux policy rules with the setsebool command, manage the persistent value of SELinux Booleans with the semanage boolean -l command, and consult man pages that end with _selinux to find useful information about SELinux Booleans.

SELinux Booleans

An application or service developer writes an SELinux targeted policy to define the allowed behavior of the targeted application. A developer can include optional application behavior in the SELinux policy that can be enabled when the behavior is allowed on a specific system. SELinux Booleans enable or disable the SELinux policy's optional behavior. With Booleans, you can selectively tune the behavior of an application.

These optional behaviors are application-specific, and must be discovered and selected for each targeted application. Service-specific Booleans are documented in that service's SELinux man page. For example, the web server httpd service has its httpd(8) man page, and an httpd_selinux(8) man page to document its SELinux policy, including the supported process types, file contexts, and the available Boolean-enabled behaviors. The SELinux man pages are provided in the selinux-policy-doc package.

Use the getsebool command to list available Booleans for the targeted policies on this system, and the current Boolean status. Use the setsebool command to enable or disable the running state of these behaviors. The setsebool -P command option makes the setting persistent by writing to the policy file. Only privileged users can set SELinux Booleans.

[root@host ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
...output omitted...

Example httpd Policy Boolean

The httpd service policy includes the httpd_enable_homedirs Boolean, which enables the sharing of home directories with httpd. Typically, a user's local home directory is accessible to the user only when logged in to the local system. Alternatively, home directories are shared and accessed by using a remote file sharing protocol, such as NFS. In both scenarios, home directories are not shared by using https, by default, and are not available to the user through a browser.

[root@host ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off

You can enable sharing and enable users to access their home directories with a browser. When enabled, the httpd service shares home directories that are labeled with the user_home_dir_t file context. Users can then access and manage their home directory files from a browser.

Manage the Policy Boolean

Setting SELinux Booleans with the setsebool command without the -P option is temporary, and settings return to the persistent values after rebooting. View additional information with the semanage boolean -l command, which lists the Booleans from the policy files, including whether a Boolean is persistent, the default and current values, and a short description.

[root@host ~]# semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (off   ,  off)  Allow httpd to enable homedirs
[root@host ~]# setsebool httpd_enable_homedirs on
[root@host ~]# semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (on   ,  off)  Allow httpd to enable homedirs
[root@host ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on

To list only Booleans with a current setting that is different from the default setting at boot, use the semanage boolean -l -C command. This example has the same result as the previous example, without requiring the grep filtering.

[root@host ~]# semanage boolean -l -C
SELinux boolean                State  Default Description

httpd_enable_homedirs          (on   ,   off)  Allow httpd to enable homedirs

The previous example temporarily set the current value for the httpd_enable_homedirs Boolean to on, until the system reboots. To change the default setting, use the setsebool -P command to make the setting persistent. The following example sets a persistent value, and then views the Boolean's information from the policy file.

[root@host ~]# setsebool -P httpd_enable_homedirs on
[root@host ~]# semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (on   ,   on)  Allow httpd to enable homedirs

Use the semanage boolean -l -C command again. The Boolean is displayed despite the appearance that the current and default settings are the same. However, the -C option matches when the current setting is different from the default setting from the last boot. For this httpd_enable_homedirs example, the original default boot setting was off.

[root@host ~]# semanage boolean -l -C
SELinux boolean                State  Default Description

httpd_enable_homedirs          (on   ,   on)  Allow httpd to enable homedirs

References

booleans(8), getsebool(8), setsebool(8), semanage(8), and semanage-boolean(8) man pages

Revision: rh199-9.3-8dd73db

Click CREATE to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.

If you DELETE your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.