Working with SElinux booleans


SElinux booleans are on/off switches that can be easily disabled or enabled if required. I’ll try to show you in this article how you can interact with SElinux booleans on a Linux machine. Note that for this demonstration I will be using a CentOS 6 Virtual Machine.

To view a detailed list of available selinux booleans you would type getsebool -a command, which will display something like:

selinux

SElinux booleans

Let’s say you have an Apache web server and you want to check out what SElinux modules are available within the OS. Since there are a lot of available booleans, we can refine this search by typing getsebool -a | grep httpd to list only the available Apache booleans. Each boolean has a distinctive role within the OS and will enable a particular access for the Apache web server. I’m not going to discuss about them now but, you can read further here.

To enable a SElinux boolean simply execute the  setsebool boolean_name on/off command, just like in the following example:

setsebool httpd_enable_homedirs on

Using the same command but with the off switch will disable the boolean:

setsebool httpd_enable_homedirs off

Note that these changes are not persistent unless you use the -P parameter and will disappear once you reboot the machine. So this is how you would make a persistent change:

setsebool -P httpd_mod_auth_pam on
setsebool -P httpd_enable_homedirs on
The first time you activate a boolean that’s not enabled by default, a file named booleans.local will be created on the machine, which contains the enabled booleans. You can view the content of this file in  /etc/selinux/targeted/modules/active/booleans.local .Note that if you modify this file manually,  you will not create any changes to SElinux since this file is created for users and it’s not used to enable/disable booleans:
boolean

Selinux enabled booleans file

SElinux will normally point you to the right command if there are some issues logged in the audit file. Literally, it will actually show you the exact command that you have to execute to fix your issues. So if you have any booleans that needs enabled, just check out the audit or the messages files to get an idea on what needs to be configured.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s