14.3. Booleans

download PDF
SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you need to specify how you run your services. Use the following Booleans to set up SELinux:
Having this Boolean enabled allows smbd to write to a public directory, such as an area reserved for common files that otherwise has no special access restrictions.
Having this Boolean enabled allows Samba to create new home directories independently. This is often done by mechanisms such as PAM.
When enabled, this Boolean allows Samba to act as a domain controller, as well as giving it permission to execute related commands such as useradd, groupadd, and passwd.
Enabling this Boolean allows Samba to share users' home directories.
Export any file or directory, allowing read-only permissions. This allows files and directories that are not labeled with the samba_share_t type to be shared through Samba. When the samba_export_all_ro Boolean is enabled, but the samba_export_all_rw Boolean is disabled, write access to Samba shares is denied, even if write access is configured in /etc/samba/smb.conf, as well as Linux permissions allowing write access.
Export any file or directory, allowing read and write permissions. This allows files and directories that are not labeled with the samba_share_t type to be exported through Samba. Permissions in /etc/samba/smb.conf and Linux permissions must be configured to allow write access.
Having this Boolean enabled allows Samba to run unconfined scripts in the /var/lib/samba/scripts/ directory.
This Boolean must be enabled for Samba to share fusefs file systems.
Disabling this Boolean prevents smbd from having full access to NFS shares through Samba. Enabling this Boolean will allow Samba to share NFS volumes.
Enable this Boolean to use a remote server for Samba home directories.
Allow virtual machine access to CIFS files.


Due to the continuous development of the SELinux policy, the list above might not contain all Booleans related to the service at all times. To list them, enter the following command:
~]$ getsebool -a | grep service_name
Enter the following command to view description of a particular Boolean:
~]$ sepolicy booleans -b boolean_name
Note that the additional policycoreutils-devel package providing the sepolicy utility is required for this command to work.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.