How to modify permissions(booleans) of SELinux for deamons(programs)

SELinux offers more enhanced security for linux. It is always recommended not to disable SELinux for servers which are more delicate, instead you can control the permissions for the deamons, programms or users using SELinux.

SELinux maintains the status of permissions for all deamons with attributes called booleans.

Get SELinux booleans

$ getsebool -a

The above command will give you lot of variables with status either on or off. If you want to fetch for particular process or context use grep 

To get all booleans regarding httpd(apache web server)

$ getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off

 

Set SELinux Booleans

To set selinux booleans we use the command setsebool

$ setsebool

Usage:  setsebool [ -PV ] boolean value | bool1=val1 bool2=val2...

Here is how you can change

$ setsebool -P <boolean> <on|off>

For suppose if you want to allow httpd to allow sending mail

setsebool -VP httpd_can_sendmail on

If you want to enable ftp server on httpd,

setsebool -P httpd_enable_ftp_server on

To enable apache to connect with external database

setsebool -P httpd_can_network_connect_db on

Like wise you can change the required booleans status. To query the modified status ues getsebool with grep.

 

Leave a Reply

Your email address will not be published. Required fields are marked *