getsebool

Show the current setting of a boolean

$ getsebool [httpd_can_connect_ftp]

$ getsebool -a

$ sudo semanage boolean [[-l|--list]]

getsebool [-a | --all] [boolean_name]

-a, --all
    List all SELinux booleans with current values and defaults.

getsebool is a command-line utility for querying the current status of SELinux booleans, which are runtime toggles in SELinux policy that enable or disable specific behaviors without recompiling the policy. SELinux booleans control features like allowing daemons to access networks or filesystems, providing granular security control.

Without arguments, specifying a boolean name shows its current value (on or off) and default state. The -a option lists all booleans, useful for auditing or overview. Output format: boolean_name --> off (with default in parentheses if different).

This tool aids troubleshooting AVC denials, verifying configurations, and compliance checks. It reads kernel values via /sys/fs/selinux/booleans, works on any user without privileges, and is part of the selinux-policy or police tools package. Essential for SELinux admins on RHEL, Fedora, and derivatives.

Shows runtime kernel values; changes via setsebool without -P reset on reboot. Requires SELinux enabled (getenforce).

getsebool httpd_can_network_connect
httpd_can_network_connect --> off (default off)

getsebool -a | grep ftp
ftp_home_dir --> on
ftpd_use_fusefs --> off (default on)

Runtime changes temporary; use setsebool -P for permanent storage in /etc/selinux/targeted/booleans.

setsebool(8), semanage(8), sestatus(8), getenforce(8)