Use Boolean Settings to
Modify SELinux Settings

Use Boolean settings to modify system SELinux settings

CIS126RH | RHEL System Administration 1
Mesa Community College

SELinux Booleans are pre-built policy switches that enable or disable specific behaviours without requiring changes to the policy source code or a system reboot. Each Boolean controls a named feature — for example, whether Apache can connect to a database, whether FTP can read home directories, or whether HTTPD can use NFS. Administrators flip these switches using setsebool and inspect them with getsebool and semanage boolean. Boolean management is a core RHCSA exam skill.

Learning Objectives

  1. Explain what SELinux Booleans are and why they exist — Describe how Booleans provide administrator-accessible policy adjustments without requiring policy recompilation
  2. List and search Booleans with getsebool and semanage boolean — Display all Booleans, filter by service or function, and read the description to identify the correct Boolean for a task
  3. Enable and disable Booleans with setsebool — Use setsebool to change a Boolean at runtime and persistently with the -P flag
  4. Identify the correct Boolean and verify changes — Use semanage boolean -l descriptions to choose the right Boolean, and verify changes with getsebool

What are SELinux Booleans?

SELinux Booleans are named on/off switches built into the SELinux policy that enable or disable specific access permissions for services.

  • Each Boolean controls a specific behaviour — e.g., httpd_can_network_connect_db allows Apache to make network connections to database ports
  • Booleans have two states: on (permission granted) and off (permission denied)
  • Changes can be runtime (immediate, lost on reboot) or persistent (written to disk, survives reboot)
  • There are hundreds of Booleans — one for nearly every service-to-service interaction that an administrator might legitimately need to enable
  • Booleans are the safest way to expand SELinux permissions because they are pre-vetted by Red Hat security engineers
Booleans vs policy modifications

Booleans are compiled into the policy as optional rules that can be switched on or off. They are safer than writing custom policy modules because the rules have been reviewed by Red Hat. Use Booleans before considering custom policy modules.

Listing Booleans: getsebool

# Show the current state of ALL Booleans
$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
...
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_sendmail --> off
...
ssh_chroot_rw_homedirs --> off
...

# Show the state of a specific Boolean
$ getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

# Filter with grep to find related Booleans
$ getsebool -a | grep httpd
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_sendmail --> off
httpd_can_network_relay --> off
httpd_dbus_avahi --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
...

Boolean Descriptions: semanage boolean -l

semanage boolean -l adds a description column — the most useful command for finding the right Boolean for a task.

# List all Booleans with descriptions (three columns)
$ sudo semanage boolean -l
SELinux boolean        State  Default  Description
...
httpd_can_network_connect_db (off , off)  Allow HTTPD scripts and modules to connect to databases over the network
httpd_can_sendmail        (off , off)  Allow http daemon to send mail
httpd_enable_homedirs     (off , off)  Allow httpd to read home directories
httpd_use_nfs             (off , off)  Allow httpd to use NFS
...

# Format: BOOLEAN_NAME (current_state, default_state)  Description

# Filter to find a Boolean by keyword in the description
$ sudo semanage boolean -l | grep -i "ftp.*home"
ftp_home_dir              (off , off)  Allow ftp to read and write files in the user home directories

# Find a Boolean by partial name
$ sudo semanage boolean -l | grep httpd_can
httpd_can_check_spam      (off , off)  Allow HTTPD to run clamav anti-spam scripts
httpd_can_network_connect (off , off)  Allow HTTPD scripts and modules to connect to the network
httpd_can_network_connect_db (off , off)  Allow HTTPD scripts and modules to connect to databases
httpd_can_network_relay   (off , off)  Allow httpd to act as a relay
httpd_can_sendmail        (off , off)  Allow http daemon to send mail

Setting Booleans: setsebool

# Enable a Boolean (runtime only — lost on reboot)
$ sudo setsebool httpd_can_network_connect_db on

# Disable a Boolean (runtime only)
$ sudo setsebool httpd_can_network_connect_db off

# Enable a Boolean PERSISTENTLY (survives reboot) — -P flag
$ sudo setsebool -P httpd_can_network_connect_db on

# Alternative: use 1 and 0 instead of on and off
$ sudo setsebool -P httpd_can_network_connect_db 1

# Set multiple Booleans at once with -P
$ sudo setsebool -P \
    httpd_can_network_connect_db on \
    httpd_can_sendmail on

# Verify the change
$ getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on
Always use -P for exam tasks — the grader reboots

setsebool without -P is runtime only — lost on reboot. setsebool -P BOOLEAN on writes to disk and survives reboots. Use -P for every Boolean change on the RHCSA exam.

Runtime vs Persistent: The -P Flag

The Boolean has two states — the current runtime state and the persistent (on-disk) state. They can differ when -P is not used.

# Start: both states are off
$ getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off

$ sudo semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs   (off , off)  Allow httpd to read home directories
#                       current default

# Runtime only change (no -P)
$ sudo setsebool httpd_enable_homedirs on
$ sudo semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs   (on  , off)  Allow httpd to read home directories
#                       current  default (persistent) → still off!

# After reboot: Boolean reverts to the persistent (default) state

# Persistent change (with -P)
$ sudo setsebool -P httpd_enable_homedirs on
$ sudo semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs   (on  , on)   Allow httpd to read home directories
#                       current  persistent → both on ✓

Common SELinux Booleans

Boolean name Default What enabling allows
httpd_can_network_connectoffApache to make outbound network connections (general)
httpd_can_network_connect_dboffApache to connect to databases over the network
httpd_can_sendmailoffApache to send mail via sendmail/postfix
httpd_enable_homedirsoffApache to read user home directories
httpd_use_nfsoffApache to serve files from NFS mounts
httpd_enable_cgionApache to execute CGI scripts
ftp_home_diroffFTP server to read/write user home directories
allow_ftpd_anon_writeoffFTP server anonymous write access
ssh_chroot_rw_homedirsoffSSH to read/write home dirs when chrooted
samba_share_nfsoffSamba to share NFS mounted directories
virt_sandbox_use_all_capsoffVirtualisation sandboxes to use all capabilities

Finding the Right Boolean

The key skill: given a service problem or a task description, find the Boolean that controls the relevant permission.

# Task: "Allow Apache to serve content from NFS mounted storage"
# Step 1: Search semanage boolean descriptions
$ sudo semanage boolean -l | grep -i "httpd.*nfs"
httpd_use_nfs   (off , off)  Allow httpd to use NFS
# Found: httpd_use_nfs

# Task: "Allow FTP users to access their home directories"
$ sudo semanage boolean -l | grep -i "ftp.*home"
ftp_home_dir    (off , off)  Allow ftp to read and write files in the user home directories
# Found: ftp_home_dir

# Task: "Apache web application needs to connect to a MySQL database"
$ sudo semanage boolean -l | grep -i "http.*database"
httpd_can_network_connect_db  (off , off)
    Allow HTTPD scripts and modules to connect to databases over the network
# Found: httpd_can_network_connect_db

# Alternative: search getsebool output
$ getsebool -a | grep ftp

Complete Boolean Management Workflow

Exam scenario: enable Apache to connect to a remote MariaDB database.

# Step 1: Identify the correct Boolean
$ sudo semanage boolean -l | grep -i "httpd.*database"
httpd_can_network_connect_db  (off , off)
    Allow HTTPD scripts and modules to connect to databases over the network

# Step 2: Check the current state
$ getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

# Step 3: Enable persistently
$ sudo setsebool -P httpd_can_network_connect_db on

# Step 4: Verify — both current and persistent should be on
$ sudo semanage boolean -l | grep httpd_can_network_connect_db
httpd_can_network_connect_db  (on  , on)
    Allow HTTPD scripts and modules to connect to databases over the network

# Step 5: Test the application connection to the database
# (the web application should now be able to reach MariaDB)

sealert: Boolean Recommendations

sealert (part of the setroubleshoot-server package) reads audit denials and suggests the specific Boolean or policy change needed.

# Install setroubleshoot-server if not present
$ sudo dnf install -y setroubleshoot-server

# Analyse the audit log for SELinux problems and suggestions
$ sudo sealert -a /var/log/audit/audit.log
SELinux is preventing /usr/sbin/httpd from name_connect access on the tcp_socket port 3306.

*****  Plugin catchall_boolean (89.3 confidence) suggests  ****

If you want to allow httpd to connect to the database
Then you must turn on the httpd_can_network_connect_db boolean.
Do
setsebool -P httpd_can_network_connect_db 1

# sealert -b: list all current SELinux alerts briefly
$ sudo sealert -b

# setroubleshoot also writes to syslog when active:
$ sudo journalctl -t setroubleshoot --since "1 hour ago"
sealert tells you which Boolean to set and provides the exact command

When a service is failing due to an SELinux denial, run sudo sealert -a /var/log/audit/audit.log — it analyses the denials and outputs the exact setsebool -P command needed, including the Boolean name.

Where Boolean State is Stored

Understanding where Booleans are stored explains why -P is needed for persistence and how to verify the persistent state.

# Persistent Boolean state is stored in the policy store
$ ls /etc/selinux/targeted/booleans.subs_dist
# Mapping file for Boolean name aliases

# The actual persistent boolean values
$ cat /sys/fs/selinux/booleans/httpd_can_network_connect_db
0 0   # format: current_value pending_value

# After setsebool -P httpd_can_network_connect_db on:
$ cat /sys/fs/selinux/booleans/httpd_can_network_connect_db
1 1   # both current and pending = 1 (on)

# List all Boolean files in the SELinux filesystem
$ ls /sys/fs/selinux/booleans/ | head -10
abrt_anon_write
abrt_handle_event
allow_ftpd_anon_write
...

# Booleans are semanage-managed objects (written to policy store)
# /etc/selinux/targeted/modules/active/booleans.local

Boolean Management Quick Reference

Task Command
List all Booleans and current stategetsebool -a
Show state of a specific Booleangetsebool BOOLEAN_NAME
Filter Booleans by service namegetsebool -a | grep httpd
List Booleans with descriptionssudo semanage boolean -l
Search descriptions for a tasksudo semanage boolean -l | grep -i "keyword"
List only modified (non-default) Booleanssudo semanage boolean -l -C
Enable a Boolean (runtime only)sudo setsebool BOOLEAN on
Enable a Boolean persistentlysudo setsebool -P BOOLEAN on
Disable a Boolean persistentlysudo setsebool -P BOOLEAN off
Enable multiple Booleans persistentlysudo setsebool -P BOOL1 on BOOL2 on
Verify both current and persistent statesudo semanage boolean -l | grep BOOLEAN
Get Boolean fix suggestions from audit logsudo sealert -a /var/log/audit/audit.log

Common Mistakes

Mistake What goes wrong Correct approach
Using setsebool without -P Boolean is on now but reverts to off (or previous persistent state) after reboot — exam grading fails Always use setsebool -P BOOLEAN on for exam tasks
Guessing the Boolean name instead of searching Wrong Boolean set — problem is not fixed or wrong service is affected Use semanage boolean -l | grep -i KEYWORD to read descriptions and find the exact name
Checking only getsebool to verify persistence getsebool shows runtime state — looks correct but may revert on reboot if -P was not used Use semanage boolean -l | grep BOOLEAN to see both (current, persistent) states
Thinking a Boolean change requires a service restart Student reboots unnecessarily or restarts services — wastes exam time Boolean changes take effect immediately — no service restart or reboot needed
Enabling the wrong level of Boolean (httpd_can_network_connect vs _db) Too broad or too narrow — may expose more or less than needed Read descriptions: httpd_can_network_connect allows all network; _db allows only database ports
Not checking if a Boolean is already on before enabling No harm done, but unnecessary command — or student sets wrong one Always run getsebool BOOLEAN first to confirm current state

Booleans in Context: The SELinux Toolkit

Booleans are one of three tools for adjusting SELinux behaviour. Choosing the right tool depends on the nature of the problem.

Problem type Correct tool Example
Service needs a non-default feature enabled SELinux Boolean (setsebool -P) Apache needs to connect to a database: httpd_can_network_connect_db on
File has the wrong SELinux type label File context (restorecon or semanage fcontext) Web file moved from home dir: restorecon -v /var/www/html/file.html
Service cannot bind to a non-standard port Port label (semanage port -a) SSH on port 2222: semanage port -a -t ssh_port_t -p tcp 2222
SELinux is blocking access but mode needs to stay enforcing Boolean, file context, or port label depending on cause Diagnose with ausearch/sealert → apply the specific fix
Troubleshooting: determine if SELinux is the cause Temporary mode (setenforce 0) Set permissive, test, identify denials, restore enforcing

Complete Workflow: FTP Home Directory Access

Exam scenario: configure vsftpd to allow users to access their home directories via FTP — currently blocked by SELinux.

# Step 1: Identify the correct Boolean
$ sudo semanage boolean -l | grep -i "ftp.*home"
ftp_home_dir  (off , off)
    Allow ftp to read and write files in the user home directories

# Step 2: Check current state
$ getsebool ftp_home_dir
ftp_home_dir --> off

# Step 3: Enable persistently
$ sudo setsebool -P ftp_home_dir on

# Step 4: Verify both states are on
$ sudo semanage boolean -l | grep ftp_home_dir
ftp_home_dir  (on  , on)
    Allow ftp to read and write files in the user home directories

# Step 5: Test FTP access to home directory
# FTP users can now access /home/username/ through vsftpd

# Also check: semanage boolean -l -C shows this as a modified Boolean
$ sudo semanage boolean -l -C
ftp_home_dir  (on , on)  Allow ftp to read and write files in the user home directories

Knowledge Check

Answer these before moving to the next slide.

  1. What is an SELinux Boolean, and what problem do Booleans solve that would otherwise require editing SELinux policy source code?
  2. Write the command to find all SELinux Booleans related to the httpd service and see their current states.
  3. You need to allow Apache to send email. Write the complete workflow: find the Boolean, check its state, enable it persistently, and verify.
  4. What is the difference between setsebool httpd_use_nfs on and setsebool -P httpd_use_nfs on?
  5. After running sudo setsebool httpd_can_sendmail on (without -P), you check with sudo semanage boolean -l | grep httpd_can_sendmail and see (on , off). What does this mean, and what happens after the next reboot?
  6. Write the command to list only the SELinux Booleans that have been changed from their default state.

Knowledge Check — Answers

  1. An SELinux Boolean is a named on/off switch built into the SELinux policy that controls a specific access permission. Booleans allow administrators to enable optional service features (such as Apache connecting to a database) without writing or compiling custom policy modules — the rules already exist in the policy but are disabled by default.
  2. getsebool -a | grep httpd
    Also accept: sudo semanage boolean -l | grep httpd (adds descriptions).
  3. (1) Find: sudo semanage boolean -l | grep -i "httpd.*mail" → returns httpd_can_sendmail
    (2) Check: getsebool httpd_can_sendmailoff
    (3) Enable: sudo setsebool -P httpd_can_sendmail on
    (4) Verify: sudo semanage boolean -l | grep httpd_can_sendmail → should show (on , on)
  4. Without -P: the Boolean is turned on in the running kernel immediately, but the change is not written to disk. After a reboot, the Boolean reverts to its previous persistent state (off). With -P: the change is both applied immediately and written to disk — it survives reboots.
  5. (on , off) means the runtime state is currently on, but the persistent (disk) state is still off. After the next reboot, the system reads the persistent state and the Boolean will be off — the change is lost. The -P flag was not used, so the change is runtime only.
  6. sudo semanage boolean -l -C — the -C flag shows only customised (non-default) Booleans — those that have been changed from their factory-default state with setsebool -P.

Key Takeaways

  1. Booleans are pre-built on/off switches for specific SELinux policy features. No policy editing required. Changes take effect immediately — no service restart needed. Use Booleans before considering any other policy modification. Find relevant Booleans with semanage boolean -l | grep -i KEYWORD.
  2. Always use setsebool -P BOOLEAN on for persistent changes. Without -P, the change reverts on reboot. The exam grader reboots the system — only persistent changes survive. Multiple Booleans can be set in one command: setsebool -P BOOL1 on BOOL2 on.
  3. Verify with semanage boolean -l | grep BOOLEAN. Output format: (current, persistent) — both must show on after a successful setsebool -P. (on, off) means -P was not used and the change will be lost on reboot.
  4. Use sealert to get Boolean recommendations from audit denials. sudo sealert -a /var/log/audit/audit.log analyses AVC denials and provides the exact setsebool -P command. List custom Booleans with semanage boolean -l -C to audit what has been changed.

Graded Lab

  • Run getsebool -a | grep httpd to see all httpd-related Booleans and their current states. Then run sudo semanage boolean -l | grep httpd to see the same list with descriptions. Note the difference in output format.
  • Use sudo semanage boolean -l | grep -i "database" to find the Boolean that allows Apache to connect to remote databases. Check its current state. Enable it persistently with setsebool -P. Verify with sudo semanage boolean -l | grep BOOLEAN — confirm both states are on.
  • Enable ftp_home_dir without the -P flag: sudo setsebool ftp_home_dir on. Check with sudo semanage boolean -l | grep ftp_home_dir — observe the (on , off) output. This demonstrates the runtime-only change. Then enable it persistently and confirm both states become on.
  • Run sudo semanage boolean -l -C to see only the Booleans you have changed. Confirm that your two changes (httpd_can_network_connect_db and ftp_home_dir) appear here.
  • Disable ftp_home_dir persistently: sudo setsebool -P ftp_home_dir off. Verify with getsebool ftp_home_dir and sudo semanage boolean -l | grep ftp_home_dir — confirm both show off.
  • Run sudo sealert -a /var/log/audit/audit.log. Review any SELinux alerts from the lab session. If no alerts appear, generate one by setting Apache to listen on a port that needs a Boolean — observe sealert's recommendation and the exact setsebool -P command it suggests.
RHCSA Objective

"Use Boolean settings to modify system SELinux settings." Find: semanage boolean -l | grep -i KEYWORD. Enable persistently: setsebool -P BOOLEAN on. Verify: semanage boolean -l | grep BOOLEAN → must show (on , on).

Next: Getting Help from Local Documentation