Security-Enhanced Linux, better known as SELinux, has been around for a while now—and for good reason. Originally developed by the National Security Agency, it has been a part of the open source community since 2000 and a part of the Linux kernel since 2003. SELinux helps administrators keep tabs on how different parts of a Linux system can perform actions with fine-grain controls.
Basic workings
In short, SELinux uses a policy database to approve or to deny files, applications, or processes from being accessed on a given system. Applications and processes are defined as subjects that subsequently request access to files (known as objects). A decision is made based on the policies and permissions stored in an AVC (access vector cache).
Quick switches
What happens when you need to use a service that is blocked by one of these policies? Re-defining the policy may be unnecessary, given the context. This is where Booleans enter the scene. A Boolean is essentially a switch that allows for on-the-fly policy changes to specific areas within SELinux. These Booleans are strings that enable us to make micro-level changes to an actively-enforced policy.
[ You might also like: 5 tips for getting started with Linux server security ]
What Booleans are available?
To view a list of available Booleans, you can use getsebool -a. Any user can run this command.
[tcarrigan@client ~]$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> off
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
collectd_tcp_network_connect --> off
...Output Omitted...
What do these mean?
There are a huge number of available switches available here. As you can see in the list above, that the function of some of the Boolean switches isn't exactly obvious. You can use semanage boolean -l | grep boolean_name_string to list a bit more information about a given Boolean.
NOTE: You need admin privilege to run semanage commands.
[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler*
cobbler_anon_write (off , off) Allow cobbler to anon write
cobbler_can_network_connect (off , off) Allow cobbler to can network connect
cobbler_use_cifs (off , off) Allow cobbler to use cifs
cobbler_use_nfs (off , off) Allow cobbler to use nfs
httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler
httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files
You can see above that we are looking at all Booleans dealing with cobbler. From left to right, we see the Boolean string, the current and default setting, and a short description of the switch.
Enable/disable Booleans
To make changes to the status of a given switch, we use the following command: setsebool boolean_name_string on (off). For example:
[tcarrigan@client ~]$ sudo setsebool cobbler_anon_write on
[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler_anon_write
cobbler_anon_write (on , off) Allow cobbler to anon write
To disable the setting, just change the option at the end:
[tcarrigan@client ~]$ sudo setsebool cobbler_anon_write off
[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler_anon_write
cobbler_anon_write (off , off) Allow cobbler to anon write
It needs to be stated that Boolean changes do not persist through reboots by default. To make a persistent change, add the -P option to your command syntax.
[tcarrigan@client ~]$ sudo setsebool -P cobbler_anon_write on
[ Want to learn more about security? Check out the IT security and compliance checklist. ]
More information?
If you need more information around SELinux or Boolean options, check out the SELinux man pages for booleans, getsebool, setsebool, semanage, semanage-booleans, and related topics.
[ Try Red Hat Enterprise Linux, an SELinux-enabled operating system, for free. ]
Sull'autore
Tyler is the Sr. Community Manager at Enable Sysadmin, a submarine veteran, and an all-round tech enthusiast! He was first introduced to Red Hat in 2012 by way of a Red Hat Enterprise Linux-based combat system inside the USS Georgia Missile Control Center. Now that he has surfaced, he lives with his wife and son near Raleigh, where he worked as a data storage engineer before finding his way to the Red Hat team. He has written numerous technical documents, from military procedures to knowledgebase articles and even some training curricula. In his free time, he blends a passion for hiking, climbing, and bushcraft with video games and computer building. He is loves to read and enjoy a scotch or bourbon. Find him on Twitter or on LinkedIn.
Altri risultati simili a questo
Deploy Confidential Computing on AWS Nitro Enclaves with Red Hat Enterprise Linux
Red Hat OpenShift sandboxed containers 1.11 and Red Hat build of Trustee 1.0 accelerate confidential computing across the hybrid cloud
What Is Product Security? | Compiler
Technically Speaking | Security for the AI supply chain
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Virtualizzazione
Il futuro della virtualizzazione negli ambienti aziendali per i carichi di lavoro on premise o nel cloud
