CentOS Stream 8
Sponsored Link

SELinux : Change Boolean Values
2021/03/02
 
On SELinux Policy provided with RPM package like [targeted], it's possible to change SELinux settings easily to switch Boolean Values.
The example below is on [targeted] Policy environment.
[1] It's possible to confirm Boolean Values like follows.
# show the list and current settings

[root@dlp ~]#
getsebool -a

abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
.....
.....
zabbix_can_network --> off
zabbix_run_sudo --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off

# show with descriptions

[root@dlp ~]#
semanage boolean -l

SELinux boolean                State  Default Description

abrt_anon_write                (off  ,  off)  Allow abrt to anon write
abrt_handle_event              (off  ,  off)  Allow abrt to handle event
abrt_upload_watch_anon_write   (on   ,   on)  Allow abrt to upload watch anon write
antivirus_can_scan_system      (off  ,  off)  Allow antivirus to can scan system
antivirus_use_jit              (off  ,  off)  Allow antivirus to use jit
auditadm_exec_content          (on   ,   on)  Allow auditadm to exec content
.....
.....
zabbix_can_network             (off  ,  off)  Allow zabbix to can network
zabbix_run_sudo                (off  ,  off)  Allow zabbix to run sudo
zarafa_setrlimit               (off  ,  off)  Allow zarafa to setrlimit
zebra_write_config             (off  ,  off)  Allow zebra to write config
zoneminder_anon_write          (off  ,  off)  Allow zoneminder to anon write
zoneminder_run_sudo            (off  ,  off)  Allow zoneminder to run sudo

* if [semanage] command does not exist, install it

[root@dlp ~]#
dnf -y install policycoreutils-python-utils
[2]
For example, Configure [samba_enable_home_dirs] boolean value.
[samba_enable_home_dirs] is set [off] by default, it means access control by SELinux is enabled.
Even if you configured Samba with fully accessed share to [/home/share] (777), it's impossible to access to it because SELinux denies it because correct SELinux Context is not assigned to the Folder.
# set off by default

[root@dlp ~]#
semanage boolean -l | grep samba_enable_home_dirs

samba_enable_home_dirs         (off  ,  off)  Allow samba to enable home dirs
  Accesses are denied like follows even if files have read permission and parent directory has [777] permission.
[3] Change Boolean Value of [samba_enable_home_dirs] to [on] to be able to access to the Folder normally.
# turn to ON [samba_enable_home_dirs]

[root@dlp ~]#
setsebool -P samba_enable_home_dirs on

[root@dlp ~]#
getsebool samba_enable_home_dirs

samba_enable_home_dirs --> on  
# changed
# restore to default SELinux Contexts for [samba_enable_home_dirs]

[root@dlp ~]#
restorecon -R /home/share
  That's OK, it's possible to access to the Folder like follows.
Matched Content