Fedora Linux

To translate between the descriptions shown in the graphical Security Level Configuration tool and the boolean names used by setsebool and getsebool , use the file /usr/share/system-config-securitylevel/selinux.tbl , which looks like this:

unlimitedUtils _('Admin') _('Allow privileged utilities like hotplug and insmod to run unconfined.')
unlimitedRC _('Admin') _('Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined.')
unlimitedRPM _('Admin') _('Allow rpm to run unconfined.')
staff_read_sysadm_file _('Admin') _('Allow staff_r users to search the sysadm home dir and read files (such as ~/.bashrc)')
direct_sysadm_daemon _('Admin') _('Allow sysadm_t to directly start daemons')
...(Lines snipped)...

Each line consists of the boolean name used by setsebool / getsebool , followed by the configuration category and the description used by the Security Level Configuration tool.

Use grep with a server name, boolean name, or a description from the configuration tool to quickly find values in this file:

$ cd /usr/share/system-config-securitylevel
$ grep httpd selinux.tbl
httpd_enable_cgi _('HTTPD Service') _('Allow HTTPD cgi support')
httpd_can_network_connect _('HTTPD Service') _('Allow HTTPD scripts and modules to connect to the network.')
httpd_enable_homedirs _('HTTPD Service') _('Allow HTTPD to read home directories')
httpd_ssi_exec _('HTTPD Service') _('Allow HTTPD to run SSI executables in the same domain as system CGI scripts.')
httpd_builtin_scripting _('HTTPD Service') _('Allow HTTPD to support built-in scripting')
httpd_disable_trans _('HTTPD Service') _('Disable SELinux protection for httpd daemon')
httpd_suexec_disable_trans _('HTTPD Service') _('Disable SELinux protection for http suexec')
httpd_unified _('HTTPD Service') _('Unify HTTPD handling of all content files.')
httpd_tty_comm _('HTTPD Service') _('Unify HTTPD to communicate with the terminal. Needed for handling certificates.')
$ grep 'Allow ftp to read/write files in the user home directories' selinux.tbl
ftp_home_dir _('FTP') _('Allow ftp to read/write files in the user home directories')
$ grep unlimitedRPM selinux.tbl
unlimitedRPM _('Admin') _('Allow rpm to run unconfined.')

Table 8-1 contains some of the most commonly altered SELinux booleans.

Table 8-1. Commonly altered SELinux booleans

Boolean name	Description in system-config-securitylevel	Reason for altering	Default value
allow_ptrace	Allow sysadm_t to debug or ptrace applications.	Permit root to use tools such as gdb for debugging.	Off
allow_execmod	Allow the use of shared libraries with Text Relocation.	Required to use Adobe Flash browser plug-in and Sun Java.	Off
allow_ftp_anon_write		Permits the FTP server to write to files labeled with type public_content_rw_t, described in Table 8-2.	Off
httpd_can_network_connect	Allow httpd scripts and modules to connect to the network.	Enables web scripts to connect to databases and mail servers.	Off
httpd_enable_homedirs	Allow httpd to read home directories.	Enables the use of ~/public_html for personal web pages.	Off
httpd_tty_comm	Unify httpd to communicate with the terminal. Needed for handling certificates.	Enables the use of certificates with passphrases (requires the passphrase to be entered on the terminal).	Off