CentOS 6
Sponsored Link

SELinux : Change Boolean Values
2016/07/26
 
On SELinux Policy provided with RPM package like "targeted", it's possible to change SELinux settings easily to switch Boolean Values.
The example below is on "targeted" Policy environment.
[1] It's possible to Boolean Values like follows.
# show the list and current settings

[root@dlp ~]#
getsebool -a

abrt_anon_write --> off
abrt_handle_event --> off
allow_console_login --> on
.....
.....
xguest_use_bluetooth --> on
xserver_object_manager --> off
zabbix_can_network --> off

# show with descriptions

[root@dlp ~]#
semanage boolean -l

SELinux boolean                State  Default Description

ftp_home_dir                   (off  ,  off)  Allow ftp to read and write files in the user home directories
smartmon_3ware                 (off  ,  off)  Enable additional permissions needed to support devices on 3ware controllers.
xdm_sysadm_login               (off  ,  off)  Allow xdm logins as sysadm
.....
.....
cron_can_relabel               (off  ,  off)  Allow system cron jobs to relabel filesystem for restoring file contexts.
git_system_use_cifs            (off  ,  off)  Determine whether Git system daemon can access cifs file systems.

#* if semanage command does not exist, install like follows

[root@dlp ~]#
yum -y install policycoreutils-python
[2]
For example, Configure "samba_enable_home_dirs" boolean value.
"samba_enable_home_dirs" is set "off" by default, it means access control by SELinux is enabled.
If you configured Samba fully accessed shared Folder like here, it's impossible to access to it because SELinux denys it because correct SELinux Context is not assigned to the Folder.
# set off by default

[root@dlp ~]#
semanage boolean -l | grep samba_enable_home_dirs

samba_enable_home_dirs         (off  ,  off)  Allow samba to share users home directories.

# after setting fully accessed shared folder, create some test files

# SELinux Context is inherited from /home/share directory

[root@dlp ~]#
ls -Z /home/share

-rw-rw-r--. cent cent unconfined_u:object_r:home_root_t:s0 test2.txt
-rw-r--r--. root root unconfined_u:object_r:home_root_t:s0 test.txt
  Accesses are denied like follows even if files have read permission and parent directory has 777 permission.
[3] Change Boolean Value of "samba_enable_home_dirs" to "on" to be able to access to the Folder normally.
# turn on samba_enable_home_dirs

[root@dlp ~]#
setsebool -P samba_enable_home_dirs on

[root@dlp ~]#
getsebool samba_enable_home_dirs

samba_enable_home_dirs --> on    
# changed
# current SELinux Contexts are added when samba_enable_home_dirs is off

[root@dlp ~]#
ls -Z /home/share

-rw-rw-r--. cent cent unconfined_u:object_r:home_root_t:s0 test2.txt
-rw-r--r--. root root unconfined_u:object_r:home_root_t:s0 test.txt

# restore default SELinux Contexts for samba_enable_home_dirs

[root@dlp ~]#
restorecon -R /home/share
# show SELinux Context (changed to user_home_t)

[root@dlp ~]#
ls -Z /home/share

-rw-rw-r--. cent cent unconfined_u:object_r:user_home_t:s0 test2.txt
-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 test.txt
  It's Ok all, it's possible to access to the Folder like follows.
 
Tweet