Study Notes on Booleans in SELinux

Introduction to Booleans in SELinux

  • Definition of Boolean:

    • A boolean is a configuration switch used within SELinux (Security-Enhanced Linux).

    • It enables or disables specific parts of the SELinux policy, allowing granular control over system functionalities.

  • Commands to View Booleans:

    • To view an overview of all booleans, you can utilize the following commands:

    • sebool -l

    • getsebool -a

    • Both commands provide the same output, displaying a limited list of booleans that relate to specific functionalities.

Working with Booleans

  • Changing Boolean Values:

    • To change the status of a boolean, use the command:

    • setsebool -b [boolean_name] [on/off]

    • This allows you to enable or disable the boolean based on your requirements.

  • Checking Current Boolean Settings:

    • To check if any changes have occurred in relation to the default configuration, utilize:

    • semanage boolean -l -c

Example of Viewing Booleans

  • Total Number of Booleans:

    • Using getsebool -a combined with wc -l shows the number of defined booleans, which is only 326, indicating a limited set of options.

  • Specific Example with HTTP Service:

    • When exploring booleans related to HTTP, you can find booleans that adjust the functionalities of the HTTP server according to needs.

FTP Example with Booleans

  • Exploring FTP Booleans:

    • Switching the focus to FTP services, a relevant boolean is ftpd_anon_write.

    • Definition: This boolean governs the ability for anonymous users to write to the FTP server. Default status is off.

    • Configuration File Reference:

    • To enable this, you may need to edit the configuration file:

      • /etc/vsftpd/vsftpd.conf

      • Change anonymous_enable=NO to anonymous_enable=YES.

  • Directory Requirement for Anonymous Access:

    • Ensure that the directory /var/ftp/pub exists for anonymous access.

    • Verify the directory settings to ensure it is correctly configured to allow public content.

  • Operational Steps for FTP Access:

    • If intending to copy files to /var/ftp/pub, ensure they are accessible through an FTP client.

    • Install necessary FTP client via command:

    • dnf install -y lftp

  • Checking FTP Server Status:

    • To verify if the FTP server is running, execute:

    • systemctl status vsftpd

    • Look for an indication that it is indeed running.

  • Testing Anonymous User Access:

    • As a test, attempt to access the FTP server as an anonymous user with the newfound boolean capability.

    • Utilize the command to enable the boolean:

    • setsebool -b ftpd_anon_write on

    • This will persistently enable write access for anonymous users.

  • Next Steps:

    • Awaiting results to confirm whether the changes successfully allow FTP access for anonymous users.