Working with SELinux booleans

July 03, 2021

One of the methods of manipulating SELinux policies is by toggling SELinux booleans. With their simple ON/OFF state, they enable or disable parts of the SELinux policy. Policy developers and administrators use SELinux booleans to toggle parts of the policy that not all deployments always need to be active, but some still do.

These booleans are added to the policy based on feedback from, and with the help of, the community at large. By establishing which policy rules are necessary against those that are optional, SELinux developers can provide an SELinux policy that works for a majority of systems, even when the uses of these systems differ.

Listing SELinux booleans

An overview of SELinux booleans can be obtained by using the semanage command with the boolean option. On a regular system, we can easily find over a hundred SELinux booleans, so it is necessary to filter them out for the description of the boolean we need:

# semanage boolean -l | grep policyload
secure_mode_policyload	(off, off)
 Boolean to determine whether the system permits loading
 policy, setting enforcing mode, and changing boolean values.
 Set this to true and you have to reboot to set it back.

The output not only gives us a brief description of the boolean, but also the current value (actually, it gives us the current value and then the value pending a policy change, but this will almost always be the same).

Another method for getting the current value of a boolean is through the getsebool command, as follows:

$ sudo rpm --import http://opensource.wandisco.com/RPM-GPG-Key-WANdisco# getsebool secure_mode_policyload
secure_mode_policyload --> off

If the name of the boolean is not exactly known, we can ask for an overview of all booleans (and their values) and filter for the one we need:

# getsebool -a | grep policy
secure_mode_policyload --> off

Another utility that can be used to view SELinux boolean descriptions is the sepolicy booleans command:

# sepolicy booleans -b secure_mode_policyload
secure_mode_policyload=_("Boolean to ...")

However, this command does not show the current value of the boolean.

Finally, booleans are also represented through the /sys/fs/selinux filesystem:

# cat /sys/fs/selinux/booleans/secure_mode_policyload
0 0

Here, booleans can be read as if they were regular files, and they return two values:

  • The first value is the current state of the boolean, where 0 means OFF and 1 means ON.
  • The second value is the pending state of the boolean.

A pending state allows administrators to change multiple boolean values simultaneously, but only when manipulating booleans through the /sys/fs/selinux filesystem, as we will see next.

Changing boolean values

We can change the value of a boolean using the setsebool command. For instance, to toggle the httpd_can_sendmail SELinux boolean, we can use the following command:

# setsebool httpd_can_sendmail on

Some Linux distributions might also have the togglesebool command available. This command will flip the value of the boolean, so ON becomes OFF, and OFF becomes ON:

# togglesebool httpd_can_sendmail

SELinux booleans have a default state defined by the policy administrator (and thus the default SELinux policy active on the system). Changing the value using setsebool updates the current active access controls, but this does not persist across reboots (if we toggle the boolean, then after rebooting, the old value will be used again).

In order to keep the changes permanently, add the -P option to the setsebool command as follows:

# setsebool -P httpd_can_sendmail off

In the background, the updated SELinux boolean value is included in the policy store. Then, the current policy file is rebuilt and loaded. As a result, the policy file (called policy.## with ## representing an integer value) residing in /etc/selinux/targeted/policy will be regenerated. This regeneration takes time, which is why switching a boolean value persistently (using -P) takes more time to complete than when we change a value without persisting it (using setsebool without -P or togglesebool) to the policy store.

Another way to change and persist the boolean settings is to use the semanage boolean command as follows:

# semanage boolean -m --on httpd_can_sendmail

In this case, we modify (-m) the boolean value and set it to ON (--on).

Booleans can also be changed through their /sys/fs/selinux/booleans representation. When this happens, the boolean value is not immediately activated – the change of the value is pending. This allows administrators to modify multiple booleans through /sys/fs/selinux/booleans first:

# echo 0 > /sys/fs/selinux/booleans/httpd_can_sendmail
# getsebool httpd_can_sendmail
httpd_can_sendmail --> on pending: off

To commit the changes, write the value 1 into /sys/fs/selinux/commit_pending_bools:

# echo 1 > /sys/fs/selinux/commit_pending_bools

As long as you modify booleans through the semanage or setsebool commands though, the changes will immediately be committed. Only operations through the /sys/fs/selinux structure allow pending boolean changes.

Inspecting the impact of a boolean

To discover which policy rules a boolean manipulates, the description usually suffices. Sometimes though, we might want to know which SELinux rules change when we alter a boolean value. With the sesearch application, we can query the SELinux policy, displaying the rules affected by a given boolean. To show this information in detail, we use the -b option (for the boolean) and -A option (to show all allow rules):

# sesearch -b httpd_can_sendmail -A
allow httpd_suexec_t bin_t:dir { getattr open search }; [ httpd_can_sendmail ]:True
...
allow system_mail_t httpd_t:process sigchld; [ httpd_can_sendmail ]:True

When we query the SELinux policy directly, conditional rules can be shown as part of the output:

# sesearch -s system_mail_t -t httpd_t -A
allow domain domain:key { link search };
allow system_mail_t httpd_t:fd use; [ httpd_can_sendmail ]:True
...

When allow rules are suffixed with an SELinux boolean between square brackets followed by :True, then these rules are only applied if the boolean is active. If the boolean is followed by :False, then the rule is applied if the boolean is not active.

Not all situations can be perfectly defined by policy writers though. Sometimes we will need to create our own SELinux policy modules and load those. Let’s see how we can handle SELinux policy modules specifically.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

19 + 7 =