Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Manage Security: Use Boolean Settings to Modify System SELinux Settings
The setsebool
and getsebool
commands are used to modify SELinux settings. SELinux booleans are binary settings that control various aspects of SELinux policies, allowing administrators to customize the security behavior of their systems.
setsebool Command
The setsebool
command is used to modify SELinux boolean values. It allows you to enable or disable specific booleans based on your system requirements.
When using this command, the -P
option makes changes persistent by modifying the SELinux policy. Without this option, changes made with setsebool
are temporary for the current runtime and will be lost after a system reboot.
To modify a SELinux boolean value using setsebool
, you need to specify the boolean-value you want to modify and set it to either "on" or "off".
getsebool Command
The getsebool
command is used to retrieve the current runtime
status of SELinux booleans. It allows you to check the current state of a specific boolean or list all the available booleans and their values.
To list all available booleans and their values you use the -a
option, or to view a specific boolean you provide the boolean name to the command.
Modify SELinux Settings Exercises
The following exercises will get you viewing and changing boolean settings:
View current boolean settings:
To view all available settings use the -a flag
. We will also grep for http
just to reduce the output down as there are a lot of boolean settings.
getsebool -a | grep http
The output will be similar to the following which displays the booleans and their current state, either on
or off
.
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_manage_courier_spool --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_opencryptoki --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
Modify a boolean:
In the previous exercise you can see that CGI scripts can be run as httpd_enable_cgi
is set to on
.
You want this to be switched off but make the change initially to runtime only whilst performing checks that the setting change does not break anything else:
sudo setsebool httpd_enable_cgi off
The semanage
command can be used to see both runtime and permanent status of a boolean, so we will use this to confirm the change was made to runtime:
sudo semanage boolean --list | grep httpd_enable_cgi
The first on/off indicates runtime and the second on/off indicates permanent setting that is applied during boot. In this case the first on/off is displaying correctly as off
:
httpd_enable_cgi (off , on) Allow httpd to enable cgi
Now make the change to the boolean setting permanent:
sudo setsebool -P httpd_enable_cgi off
Run the semanage
command again to confirm the change was made to the permanent configuration:
sudo semanage boolean --list | grep httpd_enable_cgi
The second on/off is now displaying as off
which confirms the setting change was made successfully:
httpd_enable_cgi (off , off) Allow httpd to enable cgi
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.