CentOS 7
Sponsored Link

SELinux : Change Boolean Values
2016/03/27
 
On SELinux Policy provided with RPM package like "targeted", it's possible to change SELinux settings easily to switch Boolean Values.
The example below is on "targeted" Policy environment.
[1] It's possible to Boolean Values like follows.
# show the list and current settings

[[email protected] ~]#
getsebool -a

abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
.....
.....
zoneminder_anon_write --> off
zoneminder_run_sudo --> off

# show with descriptions

[[email protected] ~]#
semanage boolean -l

SELinux boolean                State  Default Description

ftp_home_dir                   (off  ,  off)  Allow ftp to home dir
smartmon_3ware                 (off  ,  off)  Allow smartmon to 3ware
mpd_enable_homedirs            (off  ,  off)  Allow mpd to enable homedirs
.....
.....
cron_can_relabel               (off  ,  off)  Allow cron to can relabel
sftpd_anon_write               (off  ,  off)  Allow sftpd to anon write

* if semanage command does not exist, install like follows

[[email protected] ~]#
yum -y install policycoreutils-python
[2]
For example, Configure "samba_enable_home_dirs" boolean value.
"samba_enable_home_dirs" is set "off" by default, it means access control by SELinux is enabled.
If you configured Samba fully accessed shared Folder like here, it's impossible to access to it because SELinux denys it because correct SELinux Context is not assigned to the Folder.
# set off by default

[[email protected] ~]#
semanage boolean -l | grep samba_enable_home_dirs

samba_enable_home_dirs         (off  ,  off)  Allow samba to enable home dirs

# after setting fully accessed shared folder, create some test files

# SELinux Context is inherited from /home/share directory

[[email protected] ~]#
ls -Z /home/share

-rw-rw-r--. cent cent unconfined_u:object_r:home_root_t:s0 test2.txt
-rw-r--r--. root root unconfined_u:object_r:home_root_t:s0 test.txt
  Accesses are denied like follows even if files have read permission and parent directory has 777 permission.
[3] Change Boolean Value of "samba_enable_home_dirs" to "on" to be able to access to the Folder normally.
# trun on samba_enable_home_dirs

[[email protected] ~]#
setsebool -P samba_enable_home_dirs on

[[email protected] ~]#
getsebool samba_enable_home_dirs

samba_enable_home_dirs --> on    
# changed
# current SELinux Contexts are added when samba_enable_home_dirs is off

[[email protected] ~]#
ls -Z /home/share

-rw-rw-r--. cent cent unconfined_u:object_r:home_root_t:s0 test2.txt
-rw-r--r--. root root unconfined_u:object_r:home_root_t:s0 test.txt

# restore default SELinux Contexts for samba_enable_home_dirs

[[email protected] ~]#
restorecon -R /home/share
# show SELinux Context (changed to user_home_t)

[[email protected] ~]#
ls -Z /home/share

-rw-rw-r--. cent cent unconfined_u:object_r:user_home_t:s0 test2.txt
-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 test.txt
  It's Ok all, it's possible to access to the Folder like follows.