Linux security: Manipulating SELinux policies with Booleans
Security-Enhanced Linux, better known as SELinux, has been around for a while now—and for good reason. Originally developed by the National Security Agency, it has been a part of the open source community since 2000 and a part of the Linux kernel since 2003. SELinux helps administrators keep tabs on how different parts of a Linux system can perform actions with fine-grain controls.
In short, SELinux uses a policy database to approve or to deny files, applications, or processes from being accessed on a given system. Applications and processes are defined as subjects that subsequently request access to files (known as objects). A decision is made based on the policies and permissions stored in an AVC (access vector cache).
What happens when you need to use a service that is blocked by one of these policies? Re-defining the policy may be unnecessary, given the context. This is where Booleans enter the scene. A Boolean is essentially a switch that allows for on-the-fly policy changes to specific areas within SELinux. These Booleans are strings that enable us to make micro-level changes to an actively-enforced policy.
[ You might also like: 5 tips for getting started with Linux server security ]
What Booleans are available?
To view a list of available Booleans, you can use
getsebool -a. Any user can run this command.
[tcarrigan@client ~]$ getsebool -a abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off auditadm_exec_content --> on authlogin_nsswitch_use_ldap --> off authlogin_radius --> off authlogin_yubikey --> off awstats_purge_apache_log_files --> off boinc_execmem --> on cdrecord_read_content --> off cluster_can_network_connect --> off cluster_manage_all_files --> off cluster_use_execmem --> off cobbler_anon_write --> off cobbler_can_network_connect --> off cobbler_use_cifs --> off cobbler_use_nfs --> off collectd_tcp_network_connect --> off ...Output Omitted...
What do these mean?
There are a huge number of available switches available here. As you can see in the list above, that the function of some of the Boolean switches isn't exactly obvious. You can use
semanage boolean -l | grep boolean_name_string to list a bit more information about a given Boolean.
NOTE: You need admin privilege to run
[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler* cobbler_anon_write (off , off) Allow cobbler to anon write cobbler_can_network_connect (off , off) Allow cobbler to can network connect cobbler_use_cifs (off , off) Allow cobbler to use cifs cobbler_use_nfs (off , off) Allow cobbler to use nfs httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files
You can see above that we are looking at all Booleans dealing with cobbler. From left to right, we see the Boolean string, the current and default setting, and a short description of the switch.
To make changes to the status of a given switch, we use the following command:
setsebool boolean_name_string on (
off). For example:
[tcarrigan@client ~]$ sudo setsebool cobbler_anon_write on [tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler_anon_write cobbler_anon_write (on , off) Allow cobbler to anon write
To disable the setting, just change the option at the end:
[tcarrigan@client ~]$ sudo setsebool cobbler_anon_write off [tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler_anon_write cobbler_anon_write (off , off) Allow cobbler to anon write
It needs to be stated that Boolean changes do not persist through reboots by default. To make a persistent change, add the
-P option to your command syntax.
[tcarrigan@client ~]$ sudo setsebool -P cobbler_anon_write on
[ Want to learn more about security? Check out the IT security and compliance checklist. ]
If you need more information around SELinux or Boolean options, check out the SELinux man pages for booleans, getsebool, setsebool, semanage, semanage-booleans, and related topics.