How to Enable or Disable SELinux Boolean Values?

As SELinux has tones of policies to handle and maintain the security level of the system. SELinux has given an easy way to dynamically update the policy. You need special arguments to make these policies persistent over a reboot, this capability is provided by the SELinux management utility.

To see Boolean, you have getsebool terminal command, which shows the policies and their status.

# man getsebool

man getsebool

 To see all sebools with status:

# getsebool -a

getsebool values

Change an SELinux Boolean Value:

To change the SELinux Boolean values we have command setsebool.

# man setsebool

setsebool

It has three options -P, -N and -V. 

• -P is for persistently change the Boolean values across reboots.
• -N is for the policy on disk is not reloaded into the kernel.
• -V is for the verbose messages on terminal.

Let us change the bool value for policy “httpd_can_check_spam” to true or 1 or on. Also, check if it is changed.

# setsebool httpd_can_check_spam on
# getsebool -a | grep httpd_can_check_spam

setsebool on

To permanently or persistently update the Boolean value use -P option.

# setsebool -P httpd_can_check_spam on

See the Information of a particular SELinux Boolean Policy:

Understanding these policies by the name would be a tedious job. We have a command to get some more information about the particular policy to make more sense and increase understanding of the topic.

We have semanage command for all these kinds of jobs.

# man semanage

man semanage

 Semanage has many options, we are going to use “boolean”,  boolean – manages Boolean to selectively enable functionality.

# semanage boolean -l | grep httpd_can_check_spam

boolean info

The output shows that “httpd_can_check_spam” can take two states ON or OFF, and it is used to give httpd server capabilities to check spam on the server. SELinux boolean is made easy to use and understand the security environment.