Securing Linux with SELinux: Managing Booleans and Policies

Got Linux? Then You’ve Got SELinux—Let’s Make It Work

Quick story: Last month I restarted a client’s web box after a minor update. Site went blank. Four engineers spent two hours sweating. Turned out one Boolean—httpd_can_network_connect_db—had flipped back to off. Re-enabled it, site revived, and I suddenly had four very tired friends wishing SELinux didn’t feel like black magic.

If that sounds familiar, you’re not alone. So let’s talk about the tiny switches (Booleans) and the custom rules (policies) that decide who can talk to what on your Linux box. We’ll do it in plain English, not lawyer-speak.

Your First Two Commands

1. Is SELinux even on?
   sestatus
2. Check what Booleans exist:
   getsebool -a

If the list scrolls forever, narrow it:

getsebool -a | grep httpd  # just Apache stuff

You’ll see lines like:
httpd_can_sendmail --> off

That **off** means Apache is blocked from emailing. Flip it to on when needed, but always test the temps first:

# Try for the current boot only
setsebool httpd_can_sendmail on

Site still works? Good. Make it permanent:

setsebool -P httpd_can_sendmail on

Booleans You Meet Every Day

• httpd_can_network_connect – lets Apache act as a client (PostgreSQL, Redis, APIs).
• samba_export_all_rw – gives Samba full read-write rights to any directory labeled with the Samba type.
• ftpd_full_access – plain-text FTP can reach any file. If you truly need FTP rather than SFTP, turn this on with a note to your future self.
• virt_use_nfs – KVM/QEMU can read VMs stored on NFS. Keeps live migrations smooth.

Creating Your First Custom Policy (The 5-Minute Guide)

1. Trigger the denial. Try the thing that failed before.
2. Find the complaint:
   ausearch -m avc -ts recent -i
3. Let audit2allow build a module:
   ausearch -m avc -ts recent | audit2allow -M myfix
4. Invest the 20 seconds to open myfix.te and make sure nothing looks like *“allow everything everywhere”*.
5. Compile and load:
   semodule -i myfix.pp

That’s it. If you mess up, semodule -r myfix rolls it back.

Debugging Hacks That Save Hours

1. Human-readable denials:
less /var/log/audit/audit.log | grep AVC hurts your brain. Use:

sealert -a /var/log/audit/audit.log

It returns one-line fixes like “setsebool -P httpd_can_network_connect on”. Copy-paste, smile.

2. Reset contexts on an entire directory:

restorecon -Rv /var/www/myapp

Lost after a backup restore? This gets labels back in place.

A Personal Three-Day Plan You Can Actually Follow

Day 1: Run sestatus and getsebool -a. Write down the Booleans your main services will need. Unlimited ping-pong, but maybe limit pizza.

Day 2: In a test VM, turn target Booleans on temporarily, hit test pages, check logs. Make permanent only what survived.

Day 3: Any remaining denials? Create custom modules, push changes to production by Friday afternoon. Your future weekend self will thank you.

One More Real-World Example

Client’s Nextcloud couldn’t upload. Audit complained:

type=AVC msg=audit(...): denied { name_connect } for pid=1234 comm="httpd" dest=6379 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_port_t:s0

Translation: Web server can’t reach Redis. setsebool -P httpd_can_network_connect on fixed the upload in under a minute.

Bonus Checklist for the Paranoid

• Schedule semodule -l > /root/selinux-backup.txt every Monday.
• Run semanage export > selinux-policies.backup before major OS upgrades.
• Add restorecon /var/www/index.html to your deployment scripts; future FTP mishaps become harmless.

SELinux isn’t the villain. It’s just a meticulous neighbor who starts yelling when you mow his lawn by mistake. Ask politely—tweak the right Boolean, write a small policy, and your lawn stays green while your files stay safe.

Start small, test always, break nothing. You’ve got this.