Fedora Linux

8.2.1.1. Configuring SELinux from the command line

SELinux can also be configured very easily from the command line. To enable SELinux, edit the file /etc/selinux/config and set the SELINUX value to enforcing , permissive , or disabled :

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

Changes made to this file will take effect when the system is booted. If SELinux is enabled, you can use the getenforce command to view the current mode, and you can use the setenforce command to immediately switch between enforcing and permissive modes:

# getenforce
Enforcing
# setenforce permissive
# getenforce
Permissive
# setenforce enforcing
# getenforce
Enforcing

Boolean valuescorresponding to the checkboxes in the graphical Security Level configuration toolcan be viewed with the getsebool command, using the -a option to see all values:

$ getsebool -a
NetworkManager_disable_trans --> off
allow_cvs_read_shadow --> off
allow_execheap --> off
allow_execmem --> on
...(Lines snipped)...
ypserv_disable_trans --> off
ypxfr_disable_trans --> off
zebra_disable_trans --> off

You can also specify a specific boolean:

$ /usr/sbin/getsebool httpd_enable_cgi
httpd_enable_cgi --> on

To temporarily set a boolean value, use the setsebool command:

# setsebool httpd_enable_cgi 1
# setsebool httpd_enable_homedirs=0

Notice that the on/off state of the boolean is expressed numerically, with 1 representing on and 0 representing off. Also note that the boolean name and value may be specified as two arguments (first example), or they may be specified as a single argument, joined with the = symbol (second example). If you use the second form, you can set multiple booleans with one command:

# setsebool httpd_enable_cgi=1 httpd_enable_homedirs=0

Changes made to boolean values with setsebool take effect immediately but are not permanent; they will reset at the next boot. To make them permanent, add the -P argument:

# setsebool -P httpd_enable_cgi=1

8.2.1.2. Determining which booleans to modify

The default boolean settings for SELinux are reasonable for most systems, but they may need to be changed to relax the security policy for specific applications.

For example, by default, web scripts are not permitted to communicate through the network; this prevents an untrusted script from somehow transferring private data to another host. But if your web scripts need to connect to an IMAP email server or an SQL database such as MySQL or PostgreSQL, you'll need to set the appropriate boolean.

In this case, you can find the boolean in the graphical interface by expanding the HTTPD Service category and looking through the options. Select the checkbox for the boolean labeled 'Allow HTTPD scripts and modules to connect to the network.'

There is also a manpage provided for each of the most popular servers protected by SELinux. These manpages are named service _selinux ; for example, to access a description of the SELinux booleans that affect httpd , view the httpd_selinux manpage:

$ man httpd_selinux

To see a list of all the service-specific manpages for SELinux, enter the command:

$ apropos _selinux

In the BOOLEAN section you will find this text:

httpd scripts by default are not allowed to connect out to the network.
 This would prevent a hacker from breaking into you httpd server
 and attacking other machines. If you need scripts to be able to
 connect you can set the httpd_can_network_connect boolean on.
 setsebool -P httpd_can_network_connect 1