SELinux booleans allow you to change the SELinux policy at runtime without the need to write additional policies. This allows you to change the policy without the need for recompilation, such as allowing services to access NFS volumes.
This is the way to temporarily or permanently change SELinux booleans.
For a list of all booleans and an explanation of what they do, execute the following:
~# semanage boolean -l
Now, let's try to get the value of a particular SELinux boolean. It is possible to get the value of a single SELinux boolean without the use of additional utilities, such as grep and/or awk. Simply execute the following:
~# getsebool <SELinux boolean>
This shows you whether or not the boolean is set. Here's an example:
~# getsebool virt_use_nfs virt_use_nfs --> off ~#
To set a boolean value to a particular one, use the following command:
~# setsebool <SELinux boolean> <on|off>
Here's an example command:
~# setsebool virt_use_nfs on
This command allows you to change the value of the boolean, but it is not persistent across reboots. To allow persistence, add the -P
option to the command line, as follows:
~# setsebool -P virt_use_nfs on
If you would like a list of all the bare bones of SELinux booleans and their values, getsebool -a
is an alternative, as follows:
~# getsebool -a
Managing SELinux booleans can be rather complex as there are a lot of booleans, and their names are not always simple to remember. For this reason, the setsebool
, getsebool
, and semanage
tools come with tab completion. So, whenever you type any boolean name, you can use the tab
key to complete or display the possible options.
Here's an example of an AVC denial report found in the audit.log
file that can be solved by enabling a boolean:
type=AVC msg=audit(1438884483.053:48): avc: denied { open } for pid=1270 comm="httpd" path="/nfs/www/html/index.html" dev="0:38" ino=2717909250 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
This is an example of a service (httpd
in this case) accessing a file located on an NFS share, which is disabled by default.
This can be allowed by setting the httpd_use_nfs
boolean to "on
".