SELinux : Change Boolean Values2021/03/02 |
|
On SELinux Policy provided with RPM package like [targeted], it's possible to change SELinux settings easily to switch Boolean Values.
The example below is on [targeted] Policy environment.
|
|
| [1] | It's possible to confirm Boolean Values like follows. |
|
# show the list and current settings [root@dlp ~]# getsebool -a abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off auditadm_exec_content --> on ..... ..... zabbix_can_network --> off zabbix_run_sudo --> off zarafa_setrlimit --> off zebra_write_config --> off zoneminder_anon_write --> off zoneminder_run_sudo --> off # show with descriptions [root@dlp ~]# semanage boolean -l SELinux boolean State Default Description abrt_anon_write (off , off) Allow abrt to anon write abrt_handle_event (off , off) Allow abrt to handle event abrt_upload_watch_anon_write (on , on) Allow abrt to upload watch anon write antivirus_can_scan_system (off , off) Allow antivirus to can scan system antivirus_use_jit (off , off) Allow antivirus to use jit auditadm_exec_content (on , on) Allow auditadm to exec content ..... ..... zabbix_can_network (off , off) Allow zabbix to can network zabbix_run_sudo (off , off) Allow zabbix to run sudo zarafa_setrlimit (off , off) Allow zarafa to setrlimit zebra_write_config (off , off) Allow zebra to write config zoneminder_anon_write (off , off) Allow zoneminder to anon write zoneminder_run_sudo (off , off) Allow zoneminder to run sudo * if [semanage] command does not exist, install it [root@dlp ~]# dnf -y install policycoreutils-python-utils
|
| [2] |
For example, Configure [samba_enable_home_dirs] boolean value.
[samba_enable_home_dirs] is set [off] by default, it means access control by SELinux is enabled.
Even if you configured Samba with fully accessed share to [/home/share] (777),
it's impossible to access to it because SELinux denies it because correct SELinux Context is not assigned to the Folder.
|
|
# set off by default [root@dlp ~]# semanage boolean -l | grep samba_enable_home_dirs samba_enable_home_dirs (off , off) Allow samba to enable home dirs |
| Accesses are denied like follows even if files have read permission and parent directory has [777] permission. |
|
| [3] | Change Boolean Value of [samba_enable_home_dirs] to [on] to be able to access to the Folder normally. |
|
# turn to ON [samba_enable_home_dirs] [root@dlp ~]# setsebool -P samba_enable_home_dirs on [root@dlp ~]# getsebool samba_enable_home_dirs samba_enable_home_dirs --> on # changed
# restore to default SELinux Contexts for [samba_enable_home_dirs] [root@dlp ~]# restorecon -R /home/share
|
| That's OK, it's possible to access to the Folder like follows. |
|
Matched Content