RHCSA - Manage Security: Use Boolean Settings to Modify System SELinux Settings

The setsebool and getsebool commands are used to modify SELinux settings. SELinux booleans are binary settings that control various aspects of SELinux policies, allowing administrators to customize the security behavior of their systems.

setsebool Command

The setsebool command is used to modify SELinux boolean values. It allows you to enable or disable specific booleans based on your system requirements.

When using this command, the -P option makes changes persistent by modifying the SELinux policy. Without this option, changes made with setsebool are temporary for the current runtime and will be lost after a system reboot.

To modify a SELinux boolean value using setsebool, you need to specify the boolean-value you want to modify and set it to either "on" or "off".

getsebool Command

The getsebool command is used to retrieve the current runtime status of SELinux booleans. It allows you to check the current state of a specific boolean or list all the available booleans and their values.

To list all available booleans and their values you use the -a option, or to view a specific boolean you provide the boolean name to the command.

Modify SELinux Settings Exercises

The following exercises will get you viewing and changing boolean settings:

View current boolean settings:

To view all available settings use the -a flag. We will also grep for http just to reduce the output down as there are a lot of boolean settings.

getsebool -a | grep http

The output will be similar to the following which displays the booleans and their current state, either on or off.

httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_manage_courier_spool --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_opencryptoki --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off

Modify a boolean:

In the previous exercise you can see that CGI scripts can be run as httpd_enable_cgi is set to on.

You want this to be switched off but make the change initially to runtime only whilst performing checks that the setting change does not break anything else:

sudo setsebool httpd_enable_cgi off

The semanage command can be used to see both runtime and permanent status of a boolean, so we will use this to confirm the change was made to runtime:

sudo semanage boolean --list | grep httpd_enable_cgi

The first on/off indicates runtime and the second on/off indicates permanent setting that is applied during boot. In this case the first on/off is displaying correctly as off:

httpd_enable_cgi    (off , on)    Allow httpd to enable cgi

Now make the change to the boolean setting permanent:

sudo setsebool -P httpd_enable_cgi off

Run the semanage command again to confirm the change was made to the permanent configuration:

sudo semanage boolean --list | grep httpd_enable_cgi

The second on/off is now displaying as off which confirms the setting change was made successfully:

httpd_enable_cgi    (off , off)    Allow httpd to enable cgi

Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.