Use SELinux boolean settings to modify system behavior

10. Manage Security

📘Red Hat Certified System Administrator (RHCSA – EX200)

---

1. What is an SELinux Boolean?

• SELinux controls access to files, processes, ports, etc., based on security policies.
• A Boolean in SELinux is a switch that can turn a specific policy on or off without editing the whole policy.
• This lets you modify system behavior dynamically to allow or restrict certain operations safely.

Think of it as a configurable setting in SELinux. For example: allow a web server to connect to the network or allow users to run certain scripts.

---

2. Why SELinux Booleans are Important in IT

In an IT environment:

• You have a web server running httpd.
• By default, SELinux may block the web server from accessing user home directories or connecting to the network.
• Instead of disabling SELinux entirely (which is unsafe), you can flip a Boolean to allow that specific behavior.
• This keeps the system secure while letting services work properly.

---

3. Listing SELinux Booleans

You need to know the commands to see what Booleans exist and their current state.

1. List all Booleans (current values):

getsebool -a

• -a shows all Booleans.
• You will see output like:

allow_ftpd_full_access --> off
httpd_enable_homedirs --> off

Here:

• allow_ftpd_full_access controls FTP server access to system files.
• httpd_enable_homedirs controls if Apache (httpd) can access user home directories.

---

4. Checking a Specific Boolean

• To check one Boolean, use:

getsebool httpd_enable_homedirs

Output:

httpd_enable_homedirs --> off

• This tells you whether it’s currently enabled (on) or disabled (off).

---

5. Changing a Boolean Temporarily

• Temporary change: lasts until next reboot.
• Use:

setsebool httpd_enable_homedirs on

• on turns it on.
• off turns it off.
• Example: Allow Apache to serve files from user home directories:

setsebool httpd_enable_homedirs on

• This takes effect immediately but will reset after reboot.

---

6. Changing a Boolean Permanently

• Permanent change: survives reboots.
• Use the -P option:

setsebool -P httpd_enable_homedirs on

• This writes the change to the SELinux policy configuration.
• Example: Let FTP have full access:

setsebool -P allow_ftpd_full_access on

---

7. Common SELinux Booleans for IT Services

Here are some practical examples you need to know for the RHCSA exam:

Boolean	Description	Example Use Case
httpd_enable_homedirs	Allow Apache to read user home directories	Serving files from /home/user/public_html
httpd_can_network_connect	Allow Apache to connect to the network	Connecting to a database on another server
ftp_home_dir	Allow FTP users to access their home directories	Hosting FTP files for users
allow_ftpd_full_access	Give FTP full access to files	Required for some FTP services to function
samba_enable_home_dirs	Allow Samba to access home directories	Sharing user home directories over Samba
nis_enabled	Enable NIS support	Allow NIS users to login

Tip for the exam: You are expected to list, check, and set Booleans, especially for common services like HTTP (httpd) and FTP.

---

8. Exam Commands You Must Know

Task	Command
List all Booleans	getsebool -a
Check a specific Boolean	getsebool <boolean_name>
Change Boolean temporarily	setsebool <boolean_name> on/off
Change Boolean permanently	setsebool -P <boolean_name> on/off

---

9. Practical Example Scenario (IT Environment)

Suppose your company runs a web application on Apache. Users store files in their home directories:

1. By default, SELinux blocks Apache from accessing /home/user/public_html.
2. Check the relevant Boolean:

getsebool httpd_enable_homedirs

3. Current state:

httpd_enable_homedirs --> off

4. Enable it permanently:

setsebool -P httpd_enable_homedirs on

5. Apache can now serve files from user directories without disabling SELinux.

This is exactly the type of practical task that RHCSA exams often ask you to perform.

---

10. Key Tips for the Exam

• Always know the difference between temporary and permanent Boolean changes.
• Use getsebool -a to explore all Booleans—you might need to find the right one for an unfamiliar service.
• Do not disable SELinux entirely; the exam expects you to solve issues using Booleans.
• Practice for common services: httpd, ftp, samba, nis.

---

✅ Summary

1. SELinux Booleans are on/off switches for security policies.
2. Use getsebool to view, setsebool to change.
3. Temporary vs Permanent change: use -P for permanent.
4. Important for services: httpd, ftp, samba.
5. Solves permission issues without turning off SELinux.