4.3. Booleans
SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you need to specify how you run your services. Use the following Booleans to set up SELinux:
allow_ftpd_anon_write
- When disabled, this Boolean prevents
vsftpd
from writing to files and directories labeled with thepublic_content_rw_t
type. Enable this Boolean to allow users to upload files via FTP. The directory where files are uploaded to must be labeled with thepublic_content_rw_t
type and Linux permissions set accordingly. allow_ftpd_full_access
- When this Boolean is on, only Linux (DAC) permissions are used to control access, and authenticated users can read and write to files that are not labeled with the
public_content_t
orpublic_content_rw_t
types. allow_ftpd_use_cifs
- Having this Boolean enabled allows
vsftpd
to access files and directories labeled with thecifs_t
type; therefore, having this Boolean enabled allows you to share file systems mounted via Samba throughvsftpd
. allow_ftpd_use_nfs
- Having this Boolean enabled allows
vsftpd
to access files and directories labeled with thenfs_t
type; therefore, having this Boolean enabled allows you to share file systems mounted via NFS throughvsftpd
. ftp_home_dir
- Having this Boolean enabled allows authenticated users to read and write to files in their home directories. When this Boolean is off, attempting to download a file from a home directory results in an error such as
550 Failed to open file
. An SELinux denial is logged. ftpd_connect_db
- Allow FTP daemons to initiate a connection to a database.
httpd_enable_ftp_server
- Allow
httpd
to listen on the FTP port and act as a FTP server. tftp_anon_write
- Having this Boolean enabled allows TFTP access to a public directory, such as an area reserved for common files that otherwise has no special access restrictions.
Note
Due to the continuous development of the SELinux policy, the list above might not contain all Booleans related to the service at all times. To list them, run the following command as root:
~]# semanage boolean -l | grep service_name