Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.6. Booleans

Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy.

4.6.1. Listing Booleans

For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the semanage boolean -l command as the Linux root user. The following example does not list all Booleans and the output is shortened for brevity:
~]# semanage boolean -l
SELinux boolean                State  Default Description


smartmon_3ware                 (off  ,  off)  Determine whether smartmon can...
mpd_enable_homedirs            (off  ,  off)  Determine whether mpd can traverse...

Note

To have more detailed descriptions, install the selinux-policy-devel package.
The SELinux boolean column lists Boolean names. The Description column lists whether the Booleans are on or off, and what they do.
The getsebool -a command lists Booleans, whether they are on or off, but does not give a description of each one. The following example does not list all Booleans:
~]$ getsebool -a
cvs_read_shadow --> off
daemons_dump_core --> on
Run the getsebool boolean-name command to only list the status of the boolean-name Boolean:
~]$ getsebool cvs_read_shadow
cvs_read_shadow --> off
Use a space-separated list to list multiple Booleans:
~]$ getsebool cvs_read_shadow daemons_dump_core
cvs_read_shadow --> off
daemons_dump_core --> on

4.6.2. Configuring Booleans

Run the setsebool utility in the setsebool boolean_name on/off form to enable or disable Booleans.
The following example demonstrates configuring the httpd_can_network_connect_db Boolean:

Procedure 4.5. Configuring Booleans

  1. By default, the httpd_can_network_connect_db Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers:
    ~]$ getsebool httpd_can_network_connect_db
    httpd_can_network_connect_db --> off
    
  2. To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, enter the following command as root:
    ~]# setsebool httpd_can_network_connect_db on
  3. Use the getsebool utility to verify the Boolean has been enabled:
    ~]$ getsebool httpd_can_network_connect_db
    httpd_can_network_connect_db --> on
    
    This allows Apache HTTP Server scripts and modules to connect to database servers.
  4. This change is not persistent across reboots. To make changes persistent across reboots, run the setsebool -P boolean-name on command as root:[3]
    ~]# setsebool -P httpd_can_network_connect_db on

4.6.3. Shell Auto-Completion

It is possible to use shell auto-completion with the getsebool, setsebool, and semanage utilities. Use the auto-completion with getsebool and setsebool to complete both command-line parameters and Booleans. To list only the command-line parameters, add the hyphen character ("-") after the command name and hit the Tab key:
~]# setsebool -[Tab]
-P
To complete a Boolean, start writing the Boolean name and then hit Tab:
~]$ getsebool samba_[Tab]
samba_create_home_dirs   samba_export_all_ro      samba_run_unconfined
samba_domain_controller  samba_export_all_rw      samba_share_fusefs
samba_enable_home_dirs   samba_portmapper         samba_share_nfs
~]# setsebool -P virt_use_[Tab]
virt_use_comm     virt_use_nfs      virt_use_sanlock
virt_use_execmem  virt_use_rawip    virt_use_usb
virt_use_fusefs   virt_use_samba    virt_use_xserver
The semanage utility is used with several command-line arguments that are completed one by one. The first argument of a semanage command is an option, which specifies what part of SELinux policy is managed:
~]# semanage [Tab]
boolean     export      import      login       node        port
dontaudit   fcontext    interface   module      permissive  user
Then, one or more command-line parameters follow:
~]# semanage fcontext -[Tab]
-a           -D           --equal      --help       -m           -o
--add        --delete     -f           -l           --modify     -S
-C           --deleteall  --ftype      --list       -n           -t
-d           -e           -h           --locallist  --noheading  --type
Finally, complete the name of a particular SELinux entry, such as a Boolean, SELinux user, domain, or another. Start typing the entry and hit Tab:
~]# semanage fcontext -a -t samba<tab>
samba_etc_t                     samba_secrets_t
sambagui_exec_t                 samba_share_t
samba_initrc_exec_t             samba_unconfined_script_exec_t
samba_log_t                     samba_unit_file_t
samba_net_exec_t
Command-line parameters can be chained in a command:
~]# semanage port -a -t http_port_t -p tcp 81


[3] To temporarily revert to the default behavior, as the Linux root user, run the setsebool httpd_can_network_connect_db off command. For changes that persist across reboots, run the setsebool -P httpd_can_network_connect_db off command.