Understanding SELinux Booleans

A given SELinux policy can be customized by enabling or disabling a set of policy Booleans. Booleans allow parts of SELinux policy to be changed at run time, without any knowledge of SELinux policy writing. This allows changes without reloading or recompiling SELinux policy.

 

You can display this list from the command line by using the following command:

# semanage boolean -l
SELinux boolean                State  Default Description

privoxy_connect_any            (on   ,   on)  Allow privoxy to connect any
smartmon_3ware                 (off  ,  off)  Allow smartmon to 3ware
mpd_enable_homedirs            (off  ,  off)  Allow mpd to enable homedirs
xdm_sysadm_login               (off  ,  off)  Allow xdm to sysadm login
xen_use_nfs                    (off  ,  off)  Allow xen to use nfs
.... 

 

In the sample listing, the xen_use_nfs Boolean is off, which prevents the xen from using nfs.

 

getsebool and setsebool Utilities

 

Displaying Booleans

 

You can also use the getsebool command to list Booleans. This command displays statuses but no descriptions. To display all Booleans and their statuses:

 # getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
....

 

Include the Boolean name as an argument to display the status of a specific Boolean. Multiple Boolean arguments are also allowed:

 # getsebool xen_use_nfs allow_ftpd_use_nfs mozilla_read_content
xen_use_nfs --> off
ftpd_use_nfs --> off
mozilla_read_content --> off

 

Setting Booleans

 

Use the setsebool command to configure Booleans from the command line. The syntax is:

# setsebool [Boolean] on|off 

 

For example, the following sequence of commands displays the current status of a Boolean, then enables it to allow the syslogd daemon to send mail, and then displays the status again:

# getsebool xen_use_nfs 
xen_use_nfs --> off 

 

# setsebool xen_use_nfs on 

 

# getsebool xen_use_nfs 
xen_use_nfs --> on 

 

To make the change persistent across reboots, use the –P option:

# setsebool –P xen_use_nfs on 

 

/sys/fs/selinux Directory

 

You can also view and change the value of Booleans in the /sys/fs/selinux directory. The Boolean files are stored in the /sys/fs/selinux/booleans directory:

# ls /sys/fs/selinux/booleans
abrt_anon_write                        mpd_use_cifs
abrt_handle_event                      mpd_use_nfs
abrt_upload_watch_anon_write           mplayer_execstack
antivirus_can_scan_system              mysql_connect_any
... 

 

To view the value of a specific Boolean:

# cat /sys/fs/selinux/booleans/xen_use_nfs 
1   1 

 

A value of 1 indicates that the Boolean is on, while 0 indicates off. The first number indicates the current value of the Boolean. The second number represents the pending value of the Boolean. To turn the ftpd_anon_write Boolean on:

 # echo 1 > /sys/fs/selinux/booleans/ftpd_anon_write

 

View the contents of the file:

# cat /sys/fs/selinux/booleans/ftpd_anon_write
0   1 

 

To commit the new value:

# echo 1 > /sys/fs/selinux/commit_pending_bools 

 

The value has now changed:

# cat /sys/fs/selinux/booleans/ftpd_anon_write 
1   1 

 

 # getsebool ftpd_anon_write
ftpd_anon_write --> on

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)