SELinux Booleans for a service
Booleans
Booleans are variables that can either be set as
true or false. Booleans enhance the effect of selinux policies by letting the
system administrator fine tune a policy. A policy may protect a certain daemon
or service by applying various access control rules. In real world scenarios, a
system administrator would not like to implement all the access controls
specified in the policy.
SELinux
Policy
The selinux policy is the set of rules that guide
the selinux security engine. It defines types for the objects and domains for
processes. It uses roles to limit the domains that can be entered, and has user
identities to specify the roles that can be attained. In essence, types and
domains are equivalent, the difference being that types apply to objects while
domains apply to processes.
How
to list selinux Booleans?
- To see the Booleans of particular service, use following syntax
#getsebool
–a | grep <service name>
#getsebool
–a | grep http
Booleans can only be checked and changed when selinux is in enforcing or permissive modes,
If the selinux is disabled mode Booleans cannot be modified.
Note: If you grep is not used in command it will
list Booleans for all the services in the system and output will be very
lengthy.
[root@linuxelearn
~]# getenforce
Enforcing
[root@linuxelearn
~]# getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind
--> off
allow_httpd_mod_auth_pam
--> off
allow_httpd_sys_script_anon_write
--> off
httpd_builtin_scripting
--> on
httpd_can_check_spam
--> off
httpd_can_network_connect
--> off
httpd_can_network_connect_cobbler
--> off
httpd_can_network_connect_db
--> off
httpd_can_network_relay
--> off
httpd_can_sendmail
--> off
httpd_dbus_avahi
--> on
httpd_enable_cgi
--> on
httpd_enable_ftp_server
--> off
httpd_enable_homedirs
--> off
httpd_execmem
--> off
httpd_read_user_content
--> off
httpd_setrlimit
--> off
httpd_ssi_exec
--> off
httpd_tmp_exec
--> off
httpd_tty_comm
--> on
httpd_unified
--> on
httpd_use_cifs
--> off
httpd_use_gpg
--> off
httpd_use_nfs
--> off
[root@linuxelearn
~]#
|
- To change any Boolean just copy the Boolean and give the option (The only possible option for a Boolean to enable and disable is On/Off). The syntax for changing Boolean value is
#setsebool
<Boolean > < option (ON/Off) >
#setsebool
- Verify the changes with getsebool linux command.
[root@linuxelearn
~]# setsebool allow_httpd_anon_write on
[root@linuxelearn
~]# getsebool -a | grep http
allow_httpd_anon_write --> on
allow_httpd_mod_auth_ntlm_winbind
--> off
allow_httpd_mod_auth_pam
--> off
allow_httpd_sys_script_anon_write
--> off
httpd_builtin_scripting
--> on
httpd_can_check_spam
--> off
httpd_can_network_connect
--> off
httpd_can_network_connect_cobbler
--> off
httpd_can_network_connect_db
--> off
httpd_can_network_relay
--> off
httpd_can_sendmail
--> off
httpd_dbus_avahi
--> on
httpd_enable_cgi
--> on
httpd_enable_ftp_server
--> off
httpd_enable_homedirs
--> off
httpd_execmem
--> off
httpd_read_user_content
--> off
httpd_setrlimit
--> off
httpd_ssi_exec
--> off
httpd_tmp_exec
--> off
httpd_tty_comm
--> on
httpd_unified
--> on
httpd_use_cifs
--> off
httpd_use_gpg
--> off
httpd_use_nfs
--> off
[root@linuxelearn
~]#
|
Hope you got the SELinux concept cleared by this
time…..Keep studying on it…..
If you Like post then share and comment please And
if you have any suggestion for me do comment .
You Like to read this also......
- How to change selinux context of a file or directory
- How to change Selinux Mode in Linux
- How to set Special Permissions In Linux
Post a Comment