SELinux booleans make decisions on whether or not a certain "thing" is allowed or denied. For example, let's say you have a Linux web server that will be using a SQL database, such as MySQL or MariaDB. One of the SELinux booleans is httpd_can_network_connect_db. If httpd_can_network_connect_db is off, the web server will be unable to connect to the SQL database. On the other hand, if httpd_can_network_connect_db is on, the web server will be able to connect to the SQL database.

Determine if boolean is on or off

The semanage boolean -l command can be used to list every SELinux boolean, and then list on or off, and a quick description of the boolean. In this example, httpd_can_network_connect_db is on.

~]# semanage boolean -l
. . .
httpd_can_network_connect_db  (on , on)  Allow httpd to can network connect db

Similarly, the getsebool command with the -a option will list the status of every SELinux boolean. The getsebool command followed by the boolean name will list the status of a single boolean. In this example, the status of only the httpd_can_network_connect_db boolean is listed.

~]# getsebool httpd_can_network_connect_db  
httpd_can_network_connect_db --> on

Turn boolean on or off

The setsebool command followed by a boolean name and on or off can be used to turn a certain boolean on or off. In this example, the httpd_can_network_connect_db boolean is turned off.

~]# setsebool httpd_can_network_connect_db off

The -P option is required to make the change permament, so that the setting survives reboots.

~]# setsebool -P httpd_can_network_connect_db on