Using SELinux on an ICE-Linux CMS
6
SELinux and Shell Scripting
In the reference policy shipped with RHEL 5, there are over one hundred built-in policy Boolean
variables that can be switched on and off without the need to modify the policy itself or to install a
module. This is especially useful when policy needs to be temporarily changed to allow a specific
action, such as within a shell script or during an HP SIM task. SELinux policy Booleans are
manipulated with the setsebool command. For example, the following command enables the
execution of CGI scripts by httpd:
# setsebool -P httpd_enable_cgi=1
The -P option retains this change after reboots. To view the current setting of an SELinux Boolean
variable, use the getsebool command:
# getsebool httpd_enable_cgi
For a complete list of available SELinux Booleans variables, run the same command with the -a
option:
# getsebool -a
The selinuxenabled command provides an easy way to determine if SELinux is enabled or
disabled: it returns 0 if it is enabled and 1 if it is disabled.
Most services included in RHEL 5 include Boolean variables that enable or disable the auditing of
actions taken by the service, and more information can be found in the SELinux man pages. Service-
specific policy Boolean variables are described in man pages named as such: service_selinux.
For example, httpd policy Boolean variables are documented in the httpd_selinux(8) manpage.