SELinux booleans allow you to change the SELinux policy at runtime without the need to write additional policies. This allows you to change the policy without the need for recompilation, such as allowing services to access NFS volumes.
The setsebool command can be used to modify (switch on or off) the value of a SELinux Boolean at runtime as shown in following command line:
# setsebool ftp_home_dir on
The getsebool command can be used with the -a option to display the list of all SELinux Booleans and their current values as shown in the following command line. The output of this command is passed to a grep filter to narrow down the results:
# getsebool -a
The output of the getsebool -a command can be filtered down using grep as shown in the following command line:
# getsebool -a | grep ftp
getsebool Command Examples
1. If you would like a list of all the bare bones of SELinux booleans and their values, getsebool -a is an alternative, as follows:
# getsebool -a
2. Query the status of the httpd_enable_homedirs boolean value:
# getsebool httpd_enable_homedirs
3. It is possible to get the value of a single SELinux boolean without the use of additional utilities, such as grep and/or awk. Simply execute the following:
# getsebool [SELinux boolean]
This shows you whether or not the boolean is set. Here’s an example:
# getsebool virt_use_nfs virt_use_nfs --> off
Final Thoughts
Managing SELinux booleans can be rather complex as there are a lot of booleans, and their names are not always simple to remember. For this reason, the setsebool, getsebool, and semanage tools come with tab completion. So, whenever you type any boolean name, you can use the tab key to complete or display the possible options.