Managing SELinux Policy with Booleans (setsebool)

SELinux Booleans

SELinux booleans are switches that change the behavior of the SELinux policy. SELinux booleans are rules that can be enabled or disabled. They can be used by security administrators to tune the policy to make selective adjustments. The SELinux man pages, provided with the selinux-policy-doc package, describe the purpose of the available booleans. The man -k ‘_selinux’ command lists these man pages.

Commands useful for managing SELinux booleans include getsebool, which lists booleans and their state, and setsebool which modifies booleans. setsebool -P modifies the SELinux policy to make the modification persistent. And semanage boolean -l reports on whether or not a boolean is persistent, along with a short description of the boolean.

Non-privileged users can run the getsebool command, but you must be a superuser to run semanage boolean -l and setsebool -P.

[user@host ~]$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
...output omitted...

[user@host ~]$ getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off

[user@host ~]$ setsebool httpd_enable_homedirs on
Could not change active booleans. Please try as root: Permission denied

[user@host ~]$ sudo setsebool httpd_enable_homedirs on

[user@host ~]$ sudo semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (on   ,  off)  Allow httpd to enable homedirs

[user@host ~]$ getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on

The -P option writes all pending values to the policy, making them persistent across reboots. In the example that follows, note the values in parentheses: both are now set to on.

[user@host ~]$ setsebool -P httpd_enable_homedirs on
[user@host ~]$ sudo semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs          (on   ,   on)  Allow httpd to enable homedirs

To list booleans in which the current state differs from the default state, run semanage boolean -l -C.

[user@host ~]$ sudo semanage boolean -l -C
SELinux boolean                State  Default Description
cron_can_relabel               (off   ,   on)  Allow cron to can relabel

Related Posts

Latest Posts

  • How to Create Index Partitions To Ranged Partitioned Table
  • How to Move Partition Online in Oracle 12c
  • How to add or modify Printer settings in CentOS/RHEL using GUI
  • What is machine-id in Linux