SELinux : Change Boolean Values
2016/03/27 |
On SELinux Policy provided with RPM package like "targeted",
it's possible to change SELinux settings easily to switch Boolean Values.
The example below is on "targeted" Policy environment.
|
|
[1] | It's possible to Boolean Values like follows. |
# show the list and current settings [root@dlp ~]# getsebool -a abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on ..... ..... zoneminder_anon_write --> off zoneminder_run_sudo --> off # show with descriptions [root@dlp ~]# semanage boolean -l SELinux boolean State Default Description ftp_home_dir (off , off) Allow ftp to home dir smartmon_3ware (off , off) Allow smartmon to 3ware mpd_enable_homedirs (off , off) Allow mpd to enable homedirs ..... ..... cron_can_relabel (off , off) Allow cron to can relabel sftpd_anon_write (off , off) Allow sftpd to anon write * if semanage command does not exist, install like follows [root@dlp ~]# yum -y install policycoreutils-python
|
[2] |
For example, Configure "samba_enable_home_dirs" boolean value.
"samba_enable_home_dirs" is set "off" by default, it means access control by SELinux is enabled.
If you configured Samba fully accessed shared Folder like here,
it's impossible to access to it because SELinux denys it because correct SELinux Context is not assigned to the Folder.
|
# set off by default [root@dlp ~]# semanage boolean -l | grep samba_enable_home_dirs samba_enable_home_dirs (off , off) Allow samba to enable home dirs # after setting fully accessed shared folder, create some test files # SELinux Context is inherited from /home/share directory [root@dlp ~]# ls -Z /home/share -rw-rw-r--. cent cent unconfined_u:object_r:home_root_t:s0 test2.txt -rw-r--r--. root root unconfined_u:object_r:home_root_t:s0 test.txt |
Accesses are denied like follows even if files have read permission and parent directory has 777 permission. |
[3] | Change Boolean Value of "samba_enable_home_dirs" to "on" to be able to access to the Folder normally. |
# trun on samba_enable_home_dirs [root@dlp ~]# setsebool -P samba_enable_home_dirs on [root@dlp ~]# getsebool samba_enable_home_dirs samba_enable_home_dirs --> on # changed
# current SELinux Contexts are added when samba_enable_home_dirs is off [root@dlp ~]# ls -Z /home/share -rw-rw-r--. cent cent unconfined_u:object_r:home_root_t:s0 test2.txt -rw-r--r--. root root unconfined_u:object_r:home_root_t:s0 test.txt # restore default SELinux Contexts for samba_enable_home_dirs [root@dlp ~]# restorecon -R /home/share
# show SELinux Context (changed to user_home_t) [root@dlp ~]# ls -Z /home/share -rw-rw-r--. cent cent unconfined_u:object_r:user_home_t:s0 test2.txt -rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 test.txt |
It's Ok all, it's possible to access to the Folder like follows. |