Enforcing
Let’s take a look at controlling SELinux behavior.
Next, let’s check to see what SELinux mode your host is in:
getenforce
Enforcing
Now, we can change the mode that your host is in:
setenforce 0
getenforce
Permissive
And we can change it back:
setenforce 1
getenforce
Enforcing
Booleans are if-then-else rules written in SELinux Policy. They are convenient "easy buttons" for customizing the way that SELinux Policy rules effect a confined domain, and are designed with many real-world use cases in mind. For example, allowing httpd to serve files from users' home directories.
To list all available booleans with a description of their purpose, use the semanage
command:
semanage boolean -l
SELinux boolean State Default Description
abrt_anon_write (off , off) Allow ABRT to modify public files used for public file transfer services.
abrt_handle_event (off , off) Determine whether ABRT can run in the abrt_handle_event_t domain to handle ABRT event scripts.
abrt_upload_watch_anon_write (on , on) Determine whether abrt-handle-upload can modify public files used for public file transfer services in /var/spool/abrt-upload/.
antivirus_can_scan_system (off , off) Allow antivirus programs to read non security files on a system
antivirus_use_jit (off , off) Determine whether antivirus programs can use JIT compiler.
...
httpd_enable_homedirs (off , off) Allow httpd to read home directories
httpd_execmem (off , off) Allow httpd scripts and modules execmem/execstack
httpd_graceful_shutdown (off , off) Allow HTTPD to connect to port 80 for graceful shutdown
httpd_manage_ipa (off , off) Allow httpd processes to manage IPA content
httpd_mod_auth_ntlm_winbind (off , off) Allow Apache to use mod_auth_ntlm_winbind
httpd_mod_auth_pam (off , off) Allow Apache to use mod_auth_pam
httpd_read_user_content (off , off) Allow httpd to read user content
...
Take a look at the list of booleans and you’ll see the breadth of options. Don’t worry, you don’t have to master all of these; there’s about 350 booleans available in RHEL 8!
An alternative way to list booleans, but without their descriptions, is:
getsebool -a
Each boolean is easily toggled on or off. To temporarily toggle a boolean, you can enter:
setsebool httpd_enable_homedirs on
This setting allows the Apache web server to access user home directories. Used in conjunction with httpd_read_user_content
, Apache can serve content from users' home directories.
To turn this off again, change 'on' to 'off':
setsebool httpd_enable_homedirs off
To toggle a boolean but make it persistent, use semanage
instead of setsebool
:
semanage boolean -m --on httpd_enable_homedirs
But how do you check if any booleans have been changed from their default? There’s an option for that!
semanage boolean -l -C
SELinux boolean State Default Description
cups_execmem (on , on) Allow cups execmem/execstack
virt_sandbox_use_all_caps (on , on) Allow sandbox containers to use all capabilities
virt_use_nfs (on , on) Allow confined virtual guests to manage nfs files
Domain | ||
Workshop | ||
Student ID |