Introduction
In this challenge, you will practice managing SELinux security policies by modifying boolean settings. SELinux booleans are on/off switches for specific rules, allowing you to customize the security policy without rewriting it. This is a fundamental skill for system administrators and a key topic for the RHCSA certification.
Manage SELinux Boolean Settings
SELinux booleans are switches that allow you to change parts of the SELinux policy at runtime, without needing to reload or recompile the policy. This provides a flexible way to adjust security settings for services like the Apache web server (httpd). In this step, you will inspect and modify an SELinux boolean related to network connections for httpd.
Tasks
- Task 1: List all available SELinux booleans and their current state.
- Task 2: Temporarily enable the
httpd_can_network_connectboolean. - Task 3: Permanently disable the
httpd_can_network_connectboolean to revert the change.
Requirements
- All commands must be executed as the
labexuser. Usesudowhere administrative privileges are required. - Perform all operations in the
/home/labexdirectory. - Use the
getseboolandsetseboolcommands.
Example
After temporarily enabling the httpd_can_network_connect boolean, the output of getsebool httpd_can_network_connect should be:
httpd_can_network_connect --> on
After permanently disabling it, the output should be:
httpd_can_network_connect --> off
Hints
- Use the
-aflag withgetseboolto list all booleans. - The
setseboolcommand takes the boolean name and the state (onoroff) as arguments. - To make a change with
setseboolpersistent across reboots, use the-Pflag.
Summary
In this challenge, you have learned how to manage SELinux boolean settings. You practiced using getsebool to view the current state of booleans and setsebool to change them, both temporarily and persistently. This skill is crucial for fine-tuning system security policies in a Red Hat Enterprise Linux environment and is a fundamental component of the RHCSA skill set.
