getsebool

Show the current setting of a boolean

$ getsebool [httpd_can_connect_ftp]

$ getsebool -a

$ sudo semanage boolean [[-l|--list]]

getsebool [ -a ] [ boolean ... ]

-a
    This option displays the current state of all SELinux booleans known to the system. It's useful for getting a comprehensive overview of the active policy toggles.

boolean ...
    Specifies one or more SELinux boolean names whose states you wish to query. If no booleans are specified and the -a option is not used, getsebool will typically show an error or usage information.

The getsebool command is a utility within the SELinux framework used to query the current runtime state of SELinux booleans. SELinux booleans are true/false values that dynamically modify parts of the SELinux policy without requiring a full policy reload. They allow administrators to enable or disable specific security features or permissions based on their operational needs. For example, a boolean might control whether Apache can serve content from user home directories or if Samba can share NFS volumes. getsebool provides visibility into whether these policy toggles are currently enabled ("on") or disabled ("off"). It's a crucial tool for diagnosing SELinux-related access issues or verifying the application of security policies at runtime. Unlike commands that show persistent boolean states, getsebool reflects only the active state, which might have been changed temporarily since the last boot or policy reload.

getsebool requires SELinux to be enabled and enforcing on the system to function correctly. If SELinux is disabled or in permissive mode, its output might not be meaningful or the command might not even run.
The command only reports the current runtime state of the booleans. This state may differ from the persistent state configured to apply on boot. To see the persistent state, refer to the semanage boolean -l command.
Appropriate permissions are needed to execute this command, although it's typically available to all users for read access.

A SELinux boolean is a binary switch (on/off) defined within the SELinux policy that allows administrators to dynamically enable or disable specific policy rules without recompiling and reloading the entire policy. This provides flexibility to adapt security policies to specific system configurations or application requirements at runtime.

When a boolean's state is changed with setsebool without the -P option, it's only changed for the current runtime session. This change is not saved across reboots. getsebool reflects this runtime state. To make changes persistent, the -P option with setsebool or tools like semanage boolean must be used.

The getsebool command is an integral part of the SELinux utilities, primarily included in the policycoreutils package. Its development has been alongside the evolution of SELinux itself, providing a necessary tool for administrators to inspect and manage dynamic policy adjustments. It has been a standard component of SELinux-enabled distributions for many years, reflecting its fundamental role in runtime policy inspection.

setsebool(8), semanage(8), sebool(8), selinux(8)