Project 4: SELinux Boolean Manager with Web Dashboard
A web-based dashboard that displays all SELinux booleans with descriptions, current states, and allows toggling them with audit logging and rollback capability.
Quick Reference
| Attribute | Value |
|---|---|
| Primary Language | Python (Flask/FastAPI) |
| Alternative Languages | Go, Rust, Node.js |
| Difficulty | Level 2: Intermediate |
| Time Estimate | 1-2 weeks |
| Knowledge Area | SELinux Booleans / Web Development |
| Tooling | getsebool, setsebool, semanage |
| Prerequisites | Basic Python web development, Projects 1-2 recommended |
What You Will Build
A web-based dashboard that displays all SELinux booleans with descriptions, current states, and allows toggling them with audit logging and rollback capability.
Why It Matters
This project builds core skills that appear repeatedly in real-world systems and tooling.
Core Challenges
- Enumerating all booleans with descriptions → maps to understanding policy flexibility
- Parsing semanage boolean output → maps to the boolean subsystem
- Implementing safe toggle with audit trail → maps to accountability in security
- Grouping booleans by function → maps to understanding policy domains
Key Concepts
- SELinux Booleans: SELinux Cookbook Ch. 4 - Sven Vermeulen
- Runtime Policy Modification: SELinux System Administration Ch. 5
- Boolean Impact Analysis: RHEL SELinux Guide, Booleans section
Real-World Outcome
┌─────────────────────────────────────────────────────────────┐
│ SELinux Boolean Manager [Search: ______] [Refresh]│
├─────────────────────────────────────────────────────────────┤
│ Category: httpd_* (Web Server) [Expand] │
├─────────────────────────────────────────────────────────────┤
│ ☑ httpd_can_network_connect [ON ] │
│ Allow HTTPD scripts to make network connections │
│ Changed: 2024-01-15 by admin | [Rollback] [History] │
│ │
│ ☐ httpd_can_network_connect_db [OFF] │
│ Allow HTTPD to connect to database ports │
│ Default: off | Last changed: Never │
│ │
│ ☑ httpd_enable_cgi [ON ] │
│ Allow HTTPD to execute CGI scripts │
│ Changed: 2024-01-10 by admin | [Rollback] [History] │
├─────────────────────────────────────────────────────────────┤
│ Category: container_* (Podman/Docker) [Expand] │
├─────────────────────────────────────────────────────────────┤
│ ☐ container_use_devices [OFF] │
│ Allow containers to use host devices │
│ ⚠️ Security Warning: Reduces container isolation │
└─────────────────────────────────────────────────────────────┘
$ curl localhost:5000/api/booleans/httpd_can_network_connect
{
"name": "httpd_can_network_connect",
"current": true,
"default": false,
"description": "Allow HTTPD scripts and modules to connect to the network",
"last_changed": "2024-01-15T10:30:00Z",
"changed_by": "admin"
}
Implementation Guide
- Reproduce the simplest happy-path scenario.
- Build the smallest working version of the core feature.
- Add input validation and error handling.
- Add instrumentation/logging to confirm behavior.
- Refactor into clean modules with tests.
Milestones
- Milestone 1: Minimal working program that runs end-to-end.
- Milestone 2: Correct outputs for typical inputs.
- Milestone 3: Robust handling of edge cases.
- Milestone 4: Clean structure and documented usage.
Validation Checklist
- Output matches the real-world outcome example
- Handles invalid inputs safely
- Provides clear errors and exit codes
- Repeatable results across runs
References
- Main guide:
SELINUX_DEEP_DIVE_LEARNING_PROJECTS.md - “SELinux System Administration” by Sven Vermeulen