Los comandos que nos ayudarán a trabajar con los mismos son getsebool y setsebool. Usando el comando getsebool -a obtendremos una lista completa de todos los booleanos disponible en nuestro sistema.
[fraterneo@rainbow ~]$ getsebool -a abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off auditadm_exec_content --> on authlogin_nsswitch_use_ldap --> off authlogin_radius --> off authlogin_yubikey --> off awstats_purge_apache_log_files --> off boinc_execmem --> on cdrecord_read_content --> off cluster_can_network_connect --> off cluster_manage_all_files --> off cluster_use_execmem --> off cobbler_anon_write --> off cobbler_can_network_connect --> off cobbler_use_cifs --> off cobbler_use_nfs --> off collectd_tcp_network_connect --> off condor_tcp_network_connect --> off cron_can_relabel --> off cups_execmem --> off cvs_read_shadow --> off daemons_dump_core --> off daemons_enable_cluster_mode --> off daemons_use_tcp_wrapper --> off daemons_use_tty --> off dbadm_exec_content --> on dbadm_manage_user_files --> off dbadm_read_user_files --> off deny_execmem --> off deny_ptrace --> off dhcpc_exec_iptables --> off dhcpd_use_ldap --> off docker_connect_any --> off docker_transition_unconfined --> off domain_fd_use --> on domain_kernel_load_modules --> off entropyd_use_audio --> on exim_can_connect_db --> off exim_manage_user_files --> off exim_read_user_files --> off fcron_crond --> off fenced_can_network_connect --> off fenced_can_ssh --> off fips_mode --> on ftp_home_dir --> off ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> on ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off git_cgi_enable_homedirs --> off git_cgi_use_cifs --> off git_cgi_use_nfs --> off git_session_bind_all_unreserved_ports --> off git_session_users --> off git_system_enable_homedirs --> off git_system_use_cifs --> off git_system_use_nfs --> off gitosis_can_sendmail --> off glance_use_fusefs --> off global_ssp --> off gluster_anon_write --> off gluster_export_all_ro --> off gluster_export_all_rw --> on gpg_agent_env_file --> off gpg_web_anon_write --> off gssd_read_tmp --> on guest_exec_content --> on haproxy_connect_any --> off httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> on httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off icecast_use_any_tcp_ports --> off irc_use_any_tcp_ports --> off irssi_use_full_network --> off kdumpgui_run_bootloader --> off kerberos_enabled --> on ksmtuned_use_cifs --> off ksmtuned_use_nfs --> off logadm_exec_content --> on logging_syslogd_can_sendmail --> off logging_syslogd_use_tty --> on login_console_enabled --> on logrotate_use_nfs --> off logwatch_can_sendmail --> off lsmd_plugin_connect_any --> off mailman_use_fusefs --> off mcelog_client --> off mcelog_exec_scripts --> on mcelog_foreground --> off mcelog_server --> off mmap_low_allowed --> off mock_enable_homedirs --> off mount_anyfile --> on mozilla_plugin_bind_unreserved_ports --> off mozilla_plugin_can_network_connect --> off mozilla_plugin_use_bluejeans --> off mozilla_plugin_use_gps --> off mozilla_plugin_use_spice --> off mozilla_read_content --> off mpd_enable_homedirs --> on mpd_execmem --> off mpd_use_cifs --> off mpd_use_nfs --> off mplayer_execstack --> off mysql_connect_any --> off named_tcp_bind_http_port --> off named_write_master_zones --> off neutron_can_network --> off nfs_export_all_ro --> on nfs_export_all_rw --> on nfsd_anon_write --> off nis_enabled --> off nscd_use_shm --> on openshift_use_nfs --> off openvpn_can_network_connect --> on openvpn_enable_homedirs --> on openvpn_run_unconfined --> off pcp_bind_all_unreserved_ports --> off piranha_lvs_can_network_connect --> off polipo_connect_all_unreserved --> off polipo_session_bind_all_unreserved_ports --> off polipo_session_users --> off polipo_use_cifs --> off polipo_use_nfs --> off polyinstantiation_enabled --> off postfix_local_write_mail_spool --> on postgresql_can_rsync --> off postgresql_selinux_transmit_client_label --> off postgresql_selinux_unconfined_dbadm --> on postgresql_selinux_users_ddl --> on pppd_can_insmod --> off pppd_for_user --> off privoxy_connect_any --> on prosody_bind_http_port --> off puppetagent_manage_all_files --> off puppetmaster_use_db --> off racoon_read_shadow --> off rsync_anon_write --> off rsync_client --> off rsync_export_all_ro --> off rsync_full_access --> off samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_portmapper --> off samba_run_unconfined --> off samba_share_fusefs --> off samba_share_nfs --> off sanlock_use_fusefs --> off sanlock_use_nfs --> off sanlock_use_samba --> off saslauthd_read_shadow --> off secadm_exec_content --> on secure_mode --> off secure_mode_insmod --> off secure_mode_policyload --> off selinuxuser_direct_dri_enabled --> on selinuxuser_execheap --> off selinuxuser_execmod --> on selinuxuser_execstack --> on selinuxuser_mysql_connect_enabled --> off selinuxuser_ping --> on selinuxuser_postgresql_connect_enabled --> off selinuxuser_rw_noexattrfile --> on selinuxuser_share_music --> off selinuxuser_tcp_server --> off selinuxuser_use_ssh_chroot --> off sftpd_anon_write --> off sftpd_enable_homedirs --> on sftpd_full_access --> off sftpd_write_ssh_home --> on sge_domain_can_network_connect --> off sge_use_nfs --> off smartmon_3ware --> off smbd_anon_write --> off spamassassin_can_network --> off spamd_enable_home_dirs --> on squid_connect_any --> on squid_use_tproxy --> off ssh_chroot_rw_homedirs --> off ssh_keysign --> off ssh_sysadm_login --> off staff_exec_content --> on staff_use_svirt --> off swift_can_network --> off sysadm_exec_content --> on telepathy_connect_all_ports --> off telepathy_tcp_connect_generic_network_ports --> on tftp_anon_write --> on tftp_home_dir --> on tor_bind_all_unreserved_ports --> off tor_can_network_relay --> off unconfined_chrome_sandbox_transition --> on unconfined_login --> on unconfined_mozilla_plugin_transition --> on unprivuser_use_svirt --> off use_ecryptfs_home_dirs --> off use_fusefs_home_dirs --> off use_lpd_server --> off use_nfs_home_dirs --> on use_samba_home_dirs --> off user_exec_content --> on varnishd_connect_any --> off vbetool_mmap_zero_ignore --> off virt_sandbox_use_all_caps --> off virt_sandbox_use_audit --> on virt_sandbox_use_mknod --> off virt_sandbox_use_netlink --> off virt_sandbox_use_nfs --> off virt_sandbox_use_samba --> off virt_sandbox_use_sys_admin --> off virt_transition_userdomain --> off virt_use_comm --> off virt_use_execmem --> off virt_use_fusefs --> off virt_use_nfs --> off virt_use_rawip --> off virt_use_samba --> off virt_use_sanlock --> off virt_use_usb --> on virt_use_xserver --> off webadm_manage_user_files --> off webadm_read_user_files --> off wine_mmap_zero_ignore --> off xdm_exec_bootloader --> off xdm_sysadm_login --> off xdm_write_home --> off xen_use_nfs --> off xend_run_blktap --> on xend_run_qemu --> on xguest_connect_network --> on xguest_exec_content --> on xguest_mount_media --> on xguest_use_bluetooth --> on xserver_clients_write_xshm --> off xserver_execmem --> off xserver_object_manager --> off zabbix_can_network --> off zarafa_setrlimit --> off zebra_write_config --> off zoneminder_anon_write --> off zoneminder_run_sudo --> off
Pero como la lista podría ser muy larga, lo recomendable sería filtrarla en búsqueda de lo que necesitamos, por ejemplo booleanos relacionados con el servicio NFS.
[fraterneo@rainbow ~]$ getsebool -a | grep nfs cobbler_use_nfs --> off ftpd_use_nfs --> off git_cgi_use_nfs --> off git_system_use_nfs --> off httpd_use_nfs --> off ksmtuned_use_nfs --> off logrotate_use_nfs --> off mpd_use_nfs --> off nfs_export_all_ro --> on nfs_export_all_rw --> on nfsd_anon_write --> off openshift_use_nfs --> off polipo_use_nfs --> off samba_share_nfs --> off sanlock_use_nfs --> off sge_use_nfs --> off use_nfs_home_dirs --> on virt_sandbox_use_nfs --> off virt_use_nfs --> off xen_use_nfs --> off
O con el servicio Samba.
[fraterneo@rainbow ~]$ getsebool -a | grep samba samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_portmapper --> off samba_run_unconfined --> off samba_share_fusefs --> off samba_share_nfs --> off sanlock_use_samba --> off use_samba_home_dirs --> off virt_sandbox_use_samba --> off virt_use_samba --> off
Ahora puedes usar el comando setsebool para encender o apagar un booleano en particular. La sintaxis sería: setsebool [booleano] [0|1]. Por ejemplo, decirle a SELinux que permita a Samba compartir los directorios de los usuarios.
[fraterneo@rainbow ~]$ setsebool -P use_samba_home_dirs 1 [fraterneo@rainbow ~]$ getsebool use_samba_home_dirs --> on
Además en sistemas como Fedora podemos consultar unas páginas man de todo lo relacionado a un servicio en particular con SELinux. Por ejemplo con el comando man nfsd_selinux nos dará toda la información relacionada al manejo de SELinux en el servicio nfs.
Buena explicacion de como entender y administrar SELinux. Tengo la inquietud de cuando un servicio no esta en la lista de booleanos.. como se manejaria? ya que en mi caso tengo un servicio de asterisk y quiero habilitarle el trafico bajo udp en selinux y no muestra una opcion parecida
ResponderEliminarHola Felipe.
EliminarGracias por tu comentario.
Si instalaste Asterisk desde los fuentes es necesario crear las políticas manualmente. Ese es un tema que veremos más adelante por aquí.
También puedes considerar ver la documentación de Asterisk al respecto.
Un saludo.