SELinux offers more enhanced security for linux. It is always recommended not to disable SELinux for servers which are more delicate, instead you can control the permissions for the deamons, programms or users using SELinux.
SELinux maintains the status of permissions for all deamons with attributes called booleans.
Get SELinux booleans
1 |
$ getsebool -a |
The above command will give you lot of variables with status either on or off. If you want to fetch for particular process or context use grep
To get all booleans regarding httpd(apache web server)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
$ getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_manage_ipa --> off httpd_read_user_content --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_verify_dns --> off |
Set SELinux Booleans
To set selinux booleans we use the command setsebool
1 2 3 |
$ setsebool Usage: setsebool [ -PV ] boolean value | bool1=val1 bool2=val2... |
Here is how you can change
1 |
$ setsebool -P <boolean> <on|off> |
For suppose if you want to allow httpd to allow sending mail
1 |
setsebool -VP httpd_can_sendmail on |
If you want to enable ftp server on httpd,
1 |
setsebool -P httpd_enable_ftp_server on |
To enable apache to connect with external database
1 |
setsebool -P httpd_can_network_connect_db on |
Like wise you can change the required booleans status. To query the modified status ues getsebool with grep.