Security-Enhanced Linux, better known as SELinux, has been around for a while now—and for good reason. Originally developed by the National Security Agency, it has been a part of the open source community since 2000 and a part of the Linux kernel since 2003. SELinux helps administrators keep tabs on how different parts of a Linux system can perform actions with fine-grain controls.
Basic workings
In short, SELinux uses a policy database to approve or to deny files, applications, or processes from being accessed on a given system. Applications and processes are defined as subjects that subsequently request access to files (known as objects). A decision is made based on the policies and permissions stored in an AVC (access vector cache).
Quick switches
What happens when you need to use a service that is blocked by one of these policies? Re-defining the policy may be unnecessary, given the context. This is where Booleans enter the scene. A Boolean is essentially a switch that allows for on-the-fly policy changes to specific areas within SELinux. These Booleans are strings that enable us to make micro-level changes to an actively-enforced policy.
[ You might also like: 5 tips for getting started with Linux server security ]
What Booleans are available?
To view a list of available Booleans, you can use getsebool -a. Any user can run this command.
[tcarrigan@client ~]$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> off
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
collectd_tcp_network_connect --> off
...Output Omitted...
What do these mean?
There are a huge number of available switches available here. As you can see in the list above, that the function of some of the Boolean switches isn't exactly obvious. You can use semanage boolean -l | grep boolean_name_string to list a bit more information about a given Boolean.
NOTE: You need admin privilege to run semanage commands.
[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler*
cobbler_anon_write (off , off) Allow cobbler to anon write
cobbler_can_network_connect (off , off) Allow cobbler to can network connect
cobbler_use_cifs (off , off) Allow cobbler to use cifs
cobbler_use_nfs (off , off) Allow cobbler to use nfs
httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler
httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files
You can see above that we are looking at all Booleans dealing with cobbler. From left to right, we see the Boolean string, the current and default setting, and a short description of the switch.
Enable/disable Booleans
To make changes to the status of a given switch, we use the following command: setsebool boolean_name_string on (off). For example:
[tcarrigan@client ~]$ sudo setsebool cobbler_anon_write on
[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler_anon_write
cobbler_anon_write (on , off) Allow cobbler to anon write
To disable the setting, just change the option at the end:
[tcarrigan@client ~]$ sudo setsebool cobbler_anon_write off
[tcarrigan@client ~]$ sudo semanage boolean -l | grep cobbler_anon_write
cobbler_anon_write (off , off) Allow cobbler to anon write
It needs to be stated that Boolean changes do not persist through reboots by default. To make a persistent change, add the -P option to your command syntax.
[tcarrigan@client ~]$ sudo setsebool -P cobbler_anon_write on
[ Want to learn more about security? Check out the IT security and compliance checklist. ]
More information?
If you need more information around SELinux or Boolean options, check out the SELinux man pages for booleans, getsebool, setsebool, semanage, semanage-booleans, and related topics.
[ Try Red Hat Enterprise Linux, an SELinux-enabled operating system, for free. ]
关于作者
Tyler is the Sr. Community Manager at Enable Sysadmin, a submarine veteran, and an all-round tech enthusiast! He was first introduced to Red Hat in 2012 by way of a Red Hat Enterprise Linux-based combat system inside the USS Georgia Missile Control Center. Now that he has surfaced, he lives with his wife and son near Raleigh, where he worked as a data storage engineer before finding his way to the Red Hat team. He has written numerous technical documents, from military procedures to knowledgebase articles and even some training curricula. In his free time, he blends a passion for hiking, climbing, and bushcraft with video games and computer building. He is loves to read and enjoy a scotch or bourbon. Find him on Twitter or on LinkedIn.
