Show Table of Contents
16.2. Booleans
SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you need to specify how you run your services. Use the following Booleans to set up SELinux:
ftpd_anon_write- When disabled, this Boolean prevents
vsftpdfrom writing to files and directories labeled with thepublic_content_rw_ttype. Enable this Boolean to allow users to upload files using FTP. The directory where files are uploaded to must be labeled with thepublic_content_rw_ttype and Linux permissions must be set accordingly. ftpd_full_access- When this Boolean is enabled, only Linux (DAC) permissions are used to control access, and authenticated users can read and write to files that are not labeled with the
public_content_torpublic_content_rw_ttypes. ftpd_use_cifs- Having this Boolean enabled allows
vsftpdto access files and directories labeled with thecifs_ttype; therefore, having this Boolean enabled allows you to share file systems mounted using Samba throughvsftpd. ftpd_use_nfs- Having this Boolean enabled allows
vsftpdto access files and directories labeled with thenfs_ttype; therefore, this Boolean allows you to share file systems mounted using NFS throughvsftpd. ftpd_connect_db- Allow FTP daemons to initiate a connection to a database.
httpd_enable_ftp_server- Allow the
httpddaemon to listen on the FTP port and act as a FTP server. tftp_anon_write- Having this Boolean enabled allows TFTP access to a public directory, such as an area reserved for common files that otherwise has no special access restrictions.
Important
Red Hat Enterprise Linux 7 does not provide the
ftp_home_dir Boolean. See the Red Hat Enterprise Linux 7.3 Release Notes document for more information.
Note
Due to the continuous development of the SELinux policy, the list above might not contain all Booleans related to the service at all times. To list them, enter the following command:
~]$ getsebool -a | grep service_name
Enter the following command to view description of a particular Boolean:
~]$ sepolicy booleans -b boolean_name
Note that the additional policycoreutils-devel package providing the sepolicy utility is required for this command to work.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.