Product SiteDocumentation Site

15.3. Booleans

SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you need to specify how you run your services. Use the following Booleans to set up SELinux:
ftpd_anon_write
When disabled, this Boolean prevents vsftpd from writing to files and directories labeled with the public_content_rw_t type. Enable this Boolean to allow users to upload files using FTP. The directory where files are uploaded to must be labeled with the public_content_rw_t type and Linux permissions must be set accordingly.
ftpd_full_access
When this Boolean is enabled, only Linux (DAC) permissions are used to control access, and authenticated users can read and write to files that are not labeled with the public_content_t or public_content_rw_t types.
ftpd_use_cifs
Having this Boolean enabled allows vsftpd to access files and directories labeled with the cifs_t type; therefore, having this Boolean enabled allows you to share file systems mounted via Samba through vsftpd.
ftpd_use_nfs
Having this Boolean enabled allows vsftpd to access files and directories labeled with the nfs_t type; therefore, this Boolean allows you to share file systems mounted using NFS through vsftpd.
ftp_home_dir
Having this Boolean enabled allows authenticated users to read and write to files in their home directories. When this Boolean is disabled, attempting to download a file from a home directory results in an error such as 550 Failed to open file. An SELinux denial message is logged.
ftpd_connect_db
Allow FTP daemons to initiate a connection to a database.
httpd_enable_ftp_server
Allow the httpd daemon to listen on the FTP port and act as a FTP server.
tftp_anon_write
Having this Boolean enabled allows TFTP access to a public directory, such as an area reserved for common files that otherwise has no special access restrictions.

Note

Due to the continuous development of the SELinux policy, the list above might not contain all Booleans related to the service at all times. To list them, run the following command:
~]$ getsebool -a | grep service_name
Run the following command to view description of a particular Boolean:
~]$ sepolicy booleans -b boolean_name
Note that the additional policycoreutils-devel package providing the sepolicy utility is required.