SELinux/Booleans

SELinux booleans are configurable settings, like sysctls, which enable or disable additional policy controls. Unlike sysctls though, booleans can only be enabled (on) or disabled (off).

Introduction
As a SELinux policy defines the acceptable behavior of the processes on a system, having a single, static policy would make it almost impossible to have a single policy set that is usable for the majority of systems. Some systems might want to have the web server be able to access a database, while others don't. Considering all possible use cases this would result in a few hundreds of thousands of policies.

Toggling code on or off
To support a more flexible policy management approach, SELinux booleans came to live. Administrators can set particular booleans through commands such as  or   to enable or disable SELinux policies.

In the SELinux policy code, a boolean is called a tunable and is managing additional SELinux policy rules like so:

In this example, two policy macros (which are interfaces that group one or more SELinux policy rules) are enabled when the  boolean is set.

An administrator who enables NFS home directories on his systems will need to set  to on.

Permanently storing boolean values
When an administrator enables or disables a SELinux boolean, this can be done just during the session or permanently.

If the policy setting is not persisted, then the policy changes are not persisted and upon the next system boot the previous configuration is used again. This allows administrators to either temporarily enable policy settings (and also disable it later on) or try out policy changes that have the potential of rendering the system unusable - at which a reboot fixes things again.

Managing booleans
Booleans are provided by the SELinux policy. Once a policy is loaded, policies can be queried and toggled.

Listing booleans
The list of currently defined booleans can be obtained through.

The same can be done using, which also displays some additional information about each boolean.

Getting individual boolean information
To get information about an individual boolean, use.

Of course, one can also  the results from  :

Toggling booleans
To set a boolean, the  command can be used.

This will however not persist the setting. To persist it, add the  argument.

Similarly,  can be used (which also persist the change):

Viewing affected policy rules
To view the policy rules that are enabled (or disabled) when a boolean is set (or unset), use :

In the above example,  is currently enabled. As a result, all four rules are shown as enabled as well (E). The second character (T) tells us that the rule becomes active if the boolean is enabled (T stands for True).

A different example:

In this example, the rule is enabled currently, which is due to  being unset.