- Unix Commands Reference
- Unix Commands - Home
booleans Command in Linux
SELinux (Security-Enhanced Linux) is a security framework for mandatory access control (MAC) implemented in the Linux kernel to add an extra layer of protection by providing fine-grained access controls for processes, files, and other system resources.
SELinux Booleans are switches that modify the behavior of the SELinux policy. They allow system administrators to fine-tune the policy by enabling or disabling specific rules. Booleans provide a way to make selective adjustments to the policy without reloading it.
The SELinux policy includes conditional rules that can be enabled or disabled based on the values of policy Booleans. These rules determine whether certain actions are allowed or denied.
In addition, each Boolean has a default value (usually false). These defaults define the initial behavior. However, you can override these defaults.
How do Booleans Work?
Each Boolean can be either "on" or "off." When a Boolean is "on," SELinux permits the associated action; when it’s "off," SELinux denies the action.
Table of Contents
Here is a comprehensive guide to the options available with the booleans command −
- SELinux Policy Booleans Options
- Examples of SELinux Policy Booleans in Linux
- Enabling and Disabling SELinux Booleans for Apache on Ubuntu-based Systems
SELinux Policy Booleans Options
The following are options available for SELinux Policy Booleans −
| Tag | Description |
|---|---|
| Local Settings | You can change boolean values via local settings using the setsebool(8) utility. The -P option makes the setting persistent across reboots. |
| Graphical Interface | The system-config-selinux tool provides a graphical interface for altering boolean settings. |
| Preserving Settings |
When reloading the policy with load_policy(8), boolean settings are preserved by default. Alternatively, you can reset them to boot-time defaults using the -b option. |
| Listing Booleans | To see available booleans, use getsebool -a. |
| Changing Booleans | Use setsebool(8) or togglesebool to change boolean values at runtime. By default, these changes only affect the current session unless you use -P. |
Examples of SELinux Policy Booleans in Linux
In this section, we’ll look at some examples related to SELinux Policy Booleans.
- View Available Booleans
- Modify a Boolean
- Reloading SELinux Policy
- Resetting Booleans to Boot-Time Defaults
- Boolean Variables in Bash
View Available Booleans
To check the available SELinux Booleans, use the following command −
getsebool -a or getsebool -a | less
Modify a Boolean
First, identify the boolean you want to modify (e.g., httpd_enable_cgi).
To enable the boolean (set it to "on"), use the following syntax −
To disable the boolean (set it to "off"), use the following syntax −
sudo setsebool -P httpd_enable_cgi off
The "-P" makes the change persistent across reboots.
Without "-P", the change is temporary and won’t survive a system restart.
Reloading SELinux Policy
When you reload the SELinux policy using load_policy(8), boolean settings are preserved by default. To reload the policy, use the following command −
Resetting Booleans to Boot-Time Defaults
To reset booleans to their boot-time defaults, you can use the "-b" option with load_policy. However this option is no longer supported because booleans are always preserved across reloads.
Boolean Variables in Bash
In Bash, there are no native Boolean data types; however, you can use integers to represent true and false values. Here is how you can declare and use boolean variables in a shell script −
You can assign 0 for false and 1 for true. For instance, open your preferred text editor and create a new file with a.sh extension (e.g., myscript.sh).
Add the relevant lines of code to your script −
failedjob=0 # Represents false jobcompleted=1 # Represents true if [ "$failedjob=" -eq 1 ]; then echo "Job failed" else echo "Job completed" fi
Save the file with the changes.
Next, make the script Executable. In your terminal, run the following command to make the script executable
chmod +x myscript.sh
Now, run the following command to execute the script −
./myscript.sh
You’ll see the output based on the values assigned to your variables.
Enabling and Disabling SELinux Booleans for Apache on Ubuntu-based Systems
To view all boolean values of the Apache daemon, you can use the ‘getsebool‘ command with the grep command, which will list all httpd-related booleans.
getsebool -a | grep httpd
Common Apache-Related SELinux Booleans
- httpd_can_network_connect − Allows Apache to make network connections.
- httpd_can_network_connect_db − Allows Apache to connect to databases over the network.
- httpd_can_sendmail − Allows Apache to send email.
- httpd_enable_cgi − Allows Apache to execute CGI scripts.
- httpd_enable_homedirs − Allows Apache to read user home directories.
These Booleans control various aspects of Apache’s interactions with SELinux, assisting in maintaining optimum security.
To enable a boolean in Apache, you can simply use the numerical value (1) or switch ‘On‘. To disable a boolean, you can use the switch ‘Off‘ or the numerical value (0). For instance −
To enable the boolean (allow Apache to read home directories), you can use the following command −
sudo setsebool -P httpd_enable_homedirs 1
or
sudo setsebool -P httpd_enable_homedirs on
To disable the boolean, simply use the following command −
sudo setsebool -P httpd_enable_homedirs 0
or
sudo setsebool -P httpd_enable_homedirs off
Conclusion
You can now change booleans thoughtfully and understand why you want to override them. While policies exist for good reasons, you have control over them because you’re the expert on your own system.
If you encounter issues related to SELinux, the SELinux Troubleshooter can help you identify and address problems by logging attempted policy violations and providing notifications for AVC denials.