16.2. Booleans

SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you need to specify how you run your services. Use the following Booleans to set up SELinux:
ftpd_anon_write
When disabled, this Boolean prevents vsftpd from writing to files and directories labeled with the public_content_rw_t type. Enable this Boolean to allow users to upload files using FTP. The directory where files are uploaded to must be labeled with the public_content_rw_t type and Linux permissions must be set accordingly.
ftpd_full_access
When this Boolean is enabled, only Linux (DAC) permissions are used to control access, and authenticated users can read and write to files that are not labeled with the public_content_t or public_content_rw_t types.
ftpd_use_cifs
Having this Boolean enabled allows vsftpd to access files and directories labeled with the cifs_t type; therefore, having this Boolean enabled allows you to share file systems mounted using Samba through vsftpd.
ftpd_use_nfs
Having this Boolean enabled allows vsftpd to access files and directories labeled with the nfs_t type; therefore, this Boolean allows you to share file systems mounted using NFS through vsftpd.
ftpd_connect_db
Allow FTP daemons to initiate a connection to a database.
httpd_enable_ftp_server
Allow the httpd daemon to listen on the FTP port and act as a FTP server.
tftp_anon_write
Having this Boolean enabled allows TFTP access to a public directory, such as an area reserved for common files that otherwise has no special access restrictions.

Important

Red Hat Enterprise Linux 7.3 does not provide the ftp_home_dir Boolean. See the Red Hat Enterprise Linux 7.3 Release Notes document for more information.

Note

Due to the continuous development of the SELinux policy, the list above might not contain all Booleans related to the service at all times. To list them, run the following command:
~]$ getsebool -a | grep service_name
Run the following command to view description of a particular Boolean:
~]$ sepolicy booleans -b boolean_name
Note that the additional policycoreutils-devel package providing the sepolicy utility is required for this command to work.