4.6. Booleans
Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy.
4.6.1. Listing Booleans
For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the
semanage boolean -l
command as the Linux root user. The following example does not list all Booleans and the output is shortened for brevity:
~]#
semanage boolean -l
SELinux boolean State Default Description smartmon_3ware (off , off) Determine whether smartmon can... mpd_enable_homedirs (off , off) Determine whether mpd can traverse...
Note
To have more detailed descriptions, install the selinux-policy-devel package.
The
SELinux boolean
column lists Boolean names. The Description
column lists whether the Booleans are on or off, and what they do.
The
getsebool -a
command lists Booleans, whether they are on or off, but does not give a description of each one. The following example does not list all Booleans:
~]$
getsebool -a
cvs_read_shadow --> off daemons_dump_core --> on
Run the
getsebool boolean-name
command to only list the status of the boolean-name Boolean:
~]$
getsebool cvs_read_shadow
cvs_read_shadow --> off
Use a space-separated list to list multiple Booleans:
~]$
getsebool cvs_read_shadow daemons_dump_core
cvs_read_shadow --> off daemons_dump_core --> on
4.6.2. Configuring Booleans
Run the
setsebool
utility in the setsebool boolean_name on/off
form to enable or disable Booleans.
The following example demonstrates configuring the
httpd_can_network_connect_db
Boolean:
Procedure 4.5. Configuring Booleans
- By default, the
httpd_can_network_connect_db
Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers:~]$
getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off - To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, enter the following command as root:
~]#
setsebool httpd_can_network_connect_db on
- Use the
getsebool
utility to verify the Boolean has been enabled:~]$
getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> onThis allows Apache HTTP Server scripts and modules to connect to database servers. - This change is not persistent across reboots. To make changes persistent across reboots, run the
setsebool -P boolean-name on
command as root:[3]~]#
setsebool -P httpd_can_network_connect_db on
4.6.3. Shell Auto-Completion
It is possible to use shell auto-completion with the
getsebool
, setsebool
, and semanage
utilities. Use the auto-completion with getsebool
and setsebool
to complete both command-line parameters and Booleans. To list only the command-line parameters, add the hyphen character ("-") after the command name and hit the Tab key:
~]#
setsebool -[Tab]
-P
To complete a Boolean, start writing the Boolean name and then hit Tab:
~]$
getsebool samba_[Tab]
samba_create_home_dirs samba_export_all_ro samba_run_unconfined
samba_domain_controller samba_export_all_rw samba_share_fusefs
samba_enable_home_dirs samba_portmapper samba_share_nfs
~]#
setsebool -P virt_use_[Tab]
virt_use_comm virt_use_nfs virt_use_sanlock
virt_use_execmem virt_use_rawip virt_use_usb
virt_use_fusefs virt_use_samba virt_use_xserver
The
semanage
utility is used with several command-line arguments that are completed one by one. The first argument of a semanage
command is an option, which specifies what part of SELinux policy is managed:
~]#
semanage [Tab]
boolean export import login node port
dontaudit fcontext interface module permissive user
Then, one or more command-line parameters follow:
~]#
semanage fcontext -[Tab]
-a -D --equal --help -m -o
--add --delete -f -l --modify -S
-C --deleteall --ftype --list -n -t
-d -e -h --locallist --noheading --type
Finally, complete the name of a particular SELinux entry, such as a Boolean, SELinux user, domain, or another. Start typing the entry and hit Tab:
~]#
semanage fcontext -a -t samba<tab> samba_etc_t samba_secrets_t sambagui_exec_t samba_share_t samba_initrc_exec_t samba_unconfined_script_exec_t samba_log_t samba_unit_file_t samba_net_exec_t
Command-line parameters can be chained in a command:
~]#
semanage port -a -t http_port_t -p tcp 81
[3]
To temporarily revert to the default behavior, as the Linux root user, run the
setsebool httpd_can_network_connect_db off
command. For changes that persist across reboots, run the setsebool -P httpd_can_network_connect_db off
command.