RHEL/CentOS 7: Configuring Booleans in SELinux

0
31

SELinux booleans allow you to change the SELinux policy at runtime without the need to write additional policies. This allows you to change the policy without the need for recompilation, such as allowing services to access NFS volumes.

This is the way to temporarily or permanently change SELinux booleans.

LISTING SELINUX BOOLEANS

For a list of all booleans and an explanation of what they do, execute the following:

~# semanage boolean -l

Let’s try to get the value of a particular SELinux boolean. It is possible to get the value of a single SELinux boolean without the use of additional utilities, such as grep and/or awk. Simply execute the following:

~# getsebool <SELinux boolean>

This shows you whether or not the boolean is set. Here’s an example:

~# getsebool virt_use_nfs
virt_use_nfs --> off
~#

CHANGING SELINUX BOOLEANS

To set a boolean value to a particular one, use the following command:

~# setsebool <SELinux boolean> <on|off>

Here’s an example command:

~# setsebool virt_use_nfs on

This command allows you to change the value of the boolean, but it is not persistent across reboots. To allow persistence, add the -P option to the command line, as follows:

~# setsebool -P virt_use_nfs on

Also if you would like a list of all the bare bones of SELinux booleans and their values, getsebool -a is an alternative, as follows:

~# getsebool -a

Managing SELinux booleans can be rather complex as there are a lot of booleans, and their names are not always simple to remember. For this reason, the setsebool, getsebool, and semanagetools come with tab completion. So, whenever you type any boolean name, you can use the tab key to complete or display the possible options.

Here’s an example of an AVC denial report found in the audit.log file that can be solved by enabling a boolean:

type=AVC msg=audit(1438884483.053:48): avc:  denied  { open } for  pid=1270 comm="httpd" path="/nfs/www/html/index.html" dev="0:38" ino=2717909250 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file

This is an example of a service (httpd in this case) accessing a file located on an NFS share, which is disabled by default.

This can be allowed by setting the httpd_use_nfs boolean to “on“.

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here