
SELinux booleans make decisions on whether or not a certain "thing" is allowed or denied. For example, let's say you have a Linux web server that will be using a SQL database, such as MySQL or MariaDB. One of the SELinux booleans is httpd_can_network_connect_db. If httpd_can_network_connect_db is off, the web server will be unable to connect to the SQL database. On the other hand, if httpd_can_network_connect_db is on, the web server will be able to connect to the SQL database.
Determine if boolean is on or off
The semanage boolean -l command can be used to list every SELinux boolean, and then list on or off, and a quick description of the boolean. In this example, httpd_can_network_connect_db is on.
~]# semanage boolean -l
. . .
httpd_can_network_connect_db (on , on) Allow httpd to can network connect db
Similarly, the getsebool command with the -a option will list the status of every SELinux boolean. The getsebool command followed by the boolean name will list the status of a single boolean. In this example, the status of only the httpd_can_network_connect_db boolean is listed.
~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on
Turn boolean on or off
The setsebool command followed by a boolean name and on or off can be used to turn a certain boolean on or off. In this example, the httpd_can_network_connect_db boolean is turned off.
~]# setsebool httpd_can_network_connect_db off
The -P option is required to make the change permament, so that the setting survives reboots.
~]# setsebool -P httpd_can_network_connect_db on
Did you find this article helpful?
If so, consider buying me a coffee over at