Linux security: Manipulating SELinux policies with Booleans

Security-Enhanced Linux, better known as SELinux, has been around for a while now—and for good reason. Originally developed by the National Security Agency, it has been a part of the open source community since 2000 and a part of the Linux kernel since 2003. SELinux helps administrators keep tabs on how different parts of a Linux system can perform actions with fine-grain controls.

Basic workings

In short, SELinux uses a policy database to approve or to deny files, applications, or processes from being accessed on a given system. Applications and processes are defined as subjects that subsequently request access to files (known as objects). A decision is made based on the policies and permissions stored in an AVC (access vector cache).

Quick switches

What happens when you need to use a service that is blocked by one of these policies? Re-defining the policy may be unnecessary, given the context. This is where Booleans enter the scene. A Boolean is essentially a switch that allows for on-the-fly policy changes to specific areas within SELinux. These Booleans are strings that enable us to make micro-level changes to an actively-enforced policy.

[ You might also like: 5 tips for getting started with Linux server security ]

What Booleans are available?

To view a list of available Booleans, you can use getsebool -a. Any user can run this command.

[tcarrigan@client ~]$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> off
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
collectd_tcp_network_connect --> off
...Output Omitted...

What do these mean?

There are a huge number of available switches available here. As you can see in the list above, that the function of some of the Boolean switches isn't exactly obvious. You can use semanage boolean -l | grep boolean_name_string to list a bit more information about a given Boolean.

NOTE: You need admin privilege to run semanage commands.

[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler*
cobbler_anon_write             (off  ,  off)  Allow cobbler to anon write
cobbler_can_network_connect    (off  ,  off)  Allow cobbler to can network connect
cobbler_use_cifs               (off  ,  off)  Allow cobbler to use cifs
cobbler_use_nfs                (off  ,  off)  Allow cobbler to use nfs
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler
httpd_serve_cobbler_files      (off  ,  off)  Allow httpd to serve cobbler files

You can see above that we are looking at all Booleans dealing with cobbler. From left to right, we see the Boolean string, the current and default setting, and a short description of the switch.

Enable/disable Booleans

To make changes to the status of a given switch, we use the following command: setsebool boolean_name_string on (off). For example:

[tcarrigan@client ~]$ sudo setsebool cobbler_anon_write on
[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler_anon_write
cobbler_anon_write            (on    , off)         Allow cobbler to anon write

To disable the setting, just change the option at the end:

[tcarrigan@client ~]$ sudo setsebool cobbler_anon_write off
[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler_anon_write
cobbler_anon_write            (off    , off)         Allow cobbler to anon write

It needs to be stated that Boolean changes do not persist through reboots by default. To make a persistent change, add the -P option to your command syntax.

[tcarrigan@client ~]$ sudo setsebool -P cobbler_anon_write on

[ Want to learn more about security? Check out the IT security and compliance checklist. ] 

More information?

If you need more information around SELinux or Boolean options, check out the SELinux man pages for booleans, getsebool, setsebool, semanage, semanage-booleans, and related topics.

[ Try Red Hat Enterprise Linux, an SELinux-enabled operating system, for free. ]