Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.
For a list of Booleans, an explanation of what each one is, and whether it is on or off, as the Linux root user, run the /usr/sbin/semanage boolean -l
command. The following example does not list all Booleans:
# /usr/sbin/semanage boolean -l SELinux boolean Description ftp_home_dir -> off Allow ftp to read and write files in the user home directories xen_use_nfs -> off Allow xen to manage nfs files xguest_connect_network -> on Allow xguest to configure Network Manager
The SELinux boolean
column lists Boolean names. The Description
column lists whether the Booleans are on or off, and what they do.
In the following example, the ftp_home_dir
Boolean is off, preventing the FTP daemon (vsftpd
) from reading and writing to files in user home directories:
ftp_home_dir -> off Allow ftp to read and write files in the user home directories
The /usr/sbin/getsebool -a
command lists Booleans, whether they are on or off, but does not give a description of each one. The following example does not list all Booleans:
$ /usr/sbin/getsebool -a allow_console_login --> off allow_cvs_read_shadow --> off allow_daemons_dump_core --> on
Run the /usr/sbin/getsebool
command to only list the status of the boolean-name
boolean-name
Boolean:
$ /usr/sbin/getsebool allow_console_login allow_console_login --> off
Use a space-separated list to list multiple Booleans:
$ /usr/sbin/getsebool allow_console_login allow_cvs_read_shadow allow_daemons_dump_core allow_console_login --> off allow_cvs_read_shadow --> off allow_daemons_dump_core --> on