April 11th, 2006

SELinux for Dummies - Booleans

When I first started working with SELinux, SELinux had the concept of "tunables", these with if-then-else clauses in the policy source code written in Macros. The idea was that if you wanted to change the way policy worked you could modify a "define" statement in M4 and the policy would work differently. This concept is still used in the reference policy, but mainly for major differences like distributions. So if you look at policy sources you might see things like "ifdef(`redhat'" or "ifdef(`targeted_policy'".

Around the time of Fedora Core 3, we added the concept of booleans. These were if-then-else clauses that were coded directly in to the policy. So the administrator could change the way the system worked by just turning on or off a boolean flag.

I believe that most administrators never need to write a line of policy. But we need to add flexibility to the policy, in such a way that an administrator can turn up or down the security level of the policy. Applications run in many different modes, so writing policy to be able to handle all situations, leaves the policy too loose for many administrators. As an example, one administrator runs a FTP server that only allows access to the anonymous account. Another administrator wants to all his users to ftp to their home directories. So we need a boolean (ftp_home_dir) to turn on or off this functionality.

There are two command line tools used for managing booleans.

setsebool allows you to change the settings of a boolean. You can perform multiple booleans at the same time and they will work as a transaction, so if one fails they will all fail. By default when you set a boolean, it will only effect the current running system, the booleans will revert back to the default settings on the next boot. You can use the -P flag to make the changes permanent.

getsebool shows you the value of a boolean, the '-a' qualifier is handy for listing all booleans. A favorite trick of mine is to run "getsebool -a | grep http" to see all of the http booleans.

The GUI for managing booleans is system-config-securitylevel. This file has the booleans sorted by targets, and has a descriptive sentence describing what the booleans do.

In RHEL4 there are to files on the system /etc/selinux/targeted/booleans /etc/selinux/targeted/booleans.local. The first file is the default settings shipped with the policy package. The .local file is the customizations that the administrator has made to the system. setsebool -P will update the .local file. In FC5, with modular policy, the booleans file no longer exists, it is built into the policy modules. The booleans.local file is in /etc/selinux/targeted/modules/active/booleans.local. It also gets compiled into the policy file ever time the policy gets rebuilt.

In targeted policy there are a group of booleans, *_disable_trans, that will disable the transition to a confined domain. This means that when the init process or an unconfined process runs the application it will stay in the unconfined domain. Just about every targeted domain has this boolean. So if you have an target that just will not work with SELinux in enforcing mode, than you can run turn off the confinement of that domain, rather then turning off SELinux all together or running SELinux in permissive mode. If you have to do this make sure you report the problems in bugzilla.redhat.com. So we can fix the policy and get you back up and running.