7.4 SEBoolean

So what is SEBoolean? This means Security Enhanced Boolean, which means boolean policies for SELinux meant to secure your server.

We can use multiple tools to analyse these booleans. We can use the semanage boolean -l command, which will give a little more detailed description per boolean. Or we can use the getsebool -a command to get the short version of the same list. Or we can use the grep command to search for ssh.

[root@rhcsa ~]# semanage boolean -l | grep ssh
ssh_chroot_rw_homedirs         (off  ,  off)  Allow ssh to chroot rw homedirs
ssh_keysign                    (off  ,  off)  Allow ssh to keysign
fenced_can_ssh                 (off  ,  off)  Allow fenced to can ssh
selinuxuser_use_ssh_chroot     (off  ,  off)  Allow selinuxuser to use ssh chroot
ssh_sysadm_login               (off  ,  off)  Allow ssh to sysadm login

[root@rhcsa ~]# getsebool -a | grep ssh
fenced_can_ssh --> off
selinuxuser_use_ssh_chroot --> off
ssh_chroot_rw_homedirs --> off
ssh_keysign --> off
ssh_sysadm_login --> off

We will not discuss every boolean that is on this list, because there are simply too many.

To change the values of these booleans, we can use the setsebool command.

[root@rhcsa ~]# setsebool ssh_keysign on
[root@rhcsa ~]# semanage boolean -l | grep ssh
ssh_chroot_rw_homedirs         (off  ,  off)  Allow ssh to chroot rw homedirs
ssh_keysign                    (on   ,  off)  Allow ssh to keysign
fenced_can_ssh                 (off  ,  off)  Allow fenced to can ssh
selinuxuser_use_ssh_chroot     (off  ,  off)  Allow selinuxuser to use ssh chroot
ssh_sysadm_login               (off  ,  off)  Allow ssh to sysadm login

As you can see, above the ssh_keysign has turned to on. However, this is not persistent through a reboot. To make it persistent through a reboot, we will have to add the -P option.

[root@rhcsa ~]# setsebool ssh_keysign on -P
[root@rhcsa ~]# semanage boolean -l | grep ssh
ssh_chroot_rw_homedirs         (off  ,  off)  Allow ssh to chroot rw homedirs
ssh_keysign                    (on   ,   on)  Allow ssh to keysign
fenced_can_ssh                 (off  ,  off)  Allow fenced to can ssh
selinuxuser_use_ssh_chroot     (off  ,  off)  Allow selinuxuser to use ssh chroot
ssh_sysadm_login               (off  ,  off)  Allow ssh to sysadm login

And that is all on SEBooleans