Security-Enhanced Linux (SELinux) is a form of mandatory access control (MAC) that helps Linux systems enforce file and process permissions. It's a default subsystem on Red Hat Enterprise Linux (RHEL), CentOS, Fedora, and many other Linux distributions.
SELinux is built around the concept of security labels and types. When you give a file an SELinux label of one type, then a process bearing a label of a different type cannot interact with it, even though the file's permissions on disk might be as permissive as 777 (which provides read, write, and execute permissions for owners, groups, and others).
SELinux uses policies to decide what labels and types are compatible with one another. For instance, if your system has the default policy that disallows an HTTP daemon to interact with users' home directories, then user home directories are essentially untouchable by httpd even though you may have a config file saying otherwise.
Read the full Red Hat documentation to gain a complete understanding of SELinux. Considerable work is put into SELinux policies by the time you install a system, but you can control policy decisions through SELinux booleans.
List booleans with semanage
The semanage
command is an SELinux policy management tool. You can use it to view available boolean options:
$ sudo semanage boolean --list | head
SELinux boolean State Default
abrt_anon_write (off , off)
abrt_handle_event (off , off)
abrt_upload_watch_anon_write (on , on)
antivirus_can_scan_system (off , off)
antivirus_use_jit (off , off)
auditadm_exec_content (on , on)
authlogin_nsswitch_use_ldap (off , off)
authlogin_radius (off , off)
[...]
[ Improve your skills managing and using SELinux with this helpful guide. ]
If you've changed any booleans, you can view your custom settings with the --locallist
or -C
option:
$ sudo semanage boolean -l -C
SELinux boolean State Default
virt_sandbox_use_all_caps (on , on)
virt_use_nfs (on , on)
zebra_write_config (on , on)
When to use a boolean
The most common way to find out that a boolean has been designed to prevent an interaction is with SELinux Troubleshooter. When SELinux registers an attempted violation of a policy, it logs the decision as an Access Vector Cache (AVC). The Troubleshooter app spawns desktop notifications any time there's an AVC denial so that you can review the decision and override or report it as appropriate.
That's the main way you're alerted about SELinux activity, and many times it's the way you solve an issue.
In the example of an Nginx web server attempting to access a home directory, SELinux Troubleshooter suggests that you enable the httpd_enable_homedirs
boolean. It even gives you a command you can use.
Should SELinux Troubleshooter fail to notify you about a denial (or if you don't have it installed), you may still be able to look through available booleans and find the one that makes sense for you to activate or deactivate. Most booleans are named in the interest of clarity. If you're diagnosing an error with NFS, for instance, you can list booleans, grep for nfs, and you'll likely find the boolean you're looking for.
If you don't have SELinux Troubleshooter installed, you can install it with:
$ sudo dnf install setroubleshoot
Set a boolean with semanage or setsebool
To modify an SELinux boolean, you can use semanage --modify
along with either --on
or --off
. For instance, here's how to modify the httpd_allow_homedirs
boolean:
$ sudo semanage boolean --modify --on http_allow_homedirs
If you prefer, you can use setsebool
, which arguably has a simpler syntax:
$ sudo setsebool -P httpd_enable_homedirs 1
The setsebool
command is a tool for quickly and easily setting SELinux booleans. The -P
option makes your decision persistent across reboots, and the 1
makes the boolean true.
SELinux booleans in the filesystem
All SELinux boolean values are viewable as a file in your filesystem. They're expressed as files in the /sys/fs/selinux/booleans
directory:
$ cat /sys/fs/selinux/booleans/httpd_use_nfs
0 0
$ cat /sys/fs/selinux/booleans/httpd_enable_homedirs
1 1
SELinux booleans
SELinux booleans allow you to control specific attributes of SELinux policies. Change them thoughtfully and because you understand why you want to override them. Policies exist for good reasons, but you also have control over them because you're the expert on your own system. Using semanage
, setsebool
, and SELinux Troubleshooter, you can make intelligent and quick decisions about what files and processes are allowed to interact.
Sobre o autor
Seth Kenlon is a Linux geek, open source enthusiast, free culture advocate, and tabletop gamer. Between gigs in the film industry and the tech industry (not necessarily exclusive of one another), he likes to design games and hack on code (also not necessarily exclusive of one another).
Mais como este
Navegue por canal
Automação
Últimas novidades em automação de TI para empresas de tecnologia, equipes e ambientes
Inteligência artificial
Descubra as atualizações nas plataformas que proporcionam aos clientes executar suas cargas de trabalho de IA em qualquer ambiente
Nuvem híbrida aberta
Veja como construímos um futuro mais flexível com a nuvem híbrida
Segurança
Veja as últimas novidades sobre como reduzimos riscos em ambientes e tecnologias
Edge computing
Saiba quais são as atualizações nas plataformas que simplificam as operações na borda
Infraestrutura
Saiba o que há de mais recente na plataforma Linux empresarial líder mundial
Aplicações
Conheça nossas soluções desenvolvidas para ajudar você a superar os desafios mais complexos de aplicações
Programas originais
Veja as histórias divertidas de criadores e líderes em tecnologia empresarial
Produtos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Red Hat Cloud Services
- Veja todos os produtos
Ferramentas
- Treinamento e certificação
- Minha conta
- Suporte ao cliente
- Recursos para desenvolvedores
- Encontre um parceiro
- Red Hat Ecosystem Catalog
- Calculadora de valor Red Hat
- Documentação
Experimente, compre, venda
Comunicação
- Contate o setor de vendas
- Fale com o Atendimento ao Cliente
- Contate o setor de treinamento
- Redes sociais
Sobre a Red Hat
A Red Hat é a líder mundial em soluções empresariais open source como Linux, nuvem, containers e Kubernetes. Fornecemos soluções robustas que facilitam o trabalho em diversas plataformas e ambientes, do datacenter principal até a borda da rede.
Selecione um idioma
Red Hat legal and privacy links
- Sobre a Red Hat
- Oportunidades de emprego
- Eventos
- Escritórios
- Fale com a Red Hat
- Blog da Red Hat
- Diversidade, equidade e inclusão
- Cool Stuff Store
- Red Hat Summit