semanage-boolean

List all booleans settings

$ sudo semanage boolean [[-l|--list]]

$ sudo semanage boolean [[-l|--list]] [[-C|--locallist]] [[-n|--noheading]]

$ sudo semanage boolean [[-m|--modify]] [-1|--on|-0|--off] [haproxy_connect_any]

semanage boolean { -l | -L | -m [ -P ] { --on | --off } <boolean_name> | -m [ -P ] <boolean_name>={on|off} | --query <boolean_name> }

-l, --list
    Lists all SELinux booleans and their current runtime state (on/off).

-L, --list-all
    Lists all SELinux booleans, their current runtime state, and their default persistent state (on/off).

-m, --modify
    Modifies the state or default state of a specified SELinux boolean. Requires a boolean name and a state (--on, --off, or =on/off).

--on
    Used with -m to set the boolean's state to on (true). Affects the current policy if not combined with -P.

--off
    Used with -m to set the boolean's state to off (false). Affects the current policy if not combined with -P.

-P, --persistent
    Makes the boolean state change persistent across system reboots. Without this option, changes are only temporary for the current session.

--query
    Displays the current runtime state of a specific SELinux boolean without modifying it.

boolean_name
    The name of the SELinux boolean to operate on. This is required for modify and query operations.

The semanage boolean command is a subcommand of the semanage utility, designed to manage
SELinux policy booleans. Booleans are essentially on/off switches embedded within the SELinux policy that allow administrators to modify the policy's behavior without needing to reload or recompile the entire policy. This provides great flexibility for adapting SELinux to specific system configurations or application requirements.

This command facilitates common tasks such as listing available booleans, querying their current state, and enabling or disabling them. Changes can be applied temporarily to the running kernel policy or made persistent across system reboots. It serves as a more user-friendly interface compared to the lower-level setsebool command, simplifying complex SELinux administration tasks. Properly utilizing booleans is crucial for fine-tuning SELinux security without resorting to disabling it entirely.

Using semanage boolean requires root privileges.
Changes made without the -P (--persistent) option are only effective until the next system reboot.
Improperly setting booleans can lead to unexpected application behavior, security vulnerabilities, or even system instability. Always understand the implications of a boolean before modifying it.

When modifying a boolean, it's crucial to understand the difference between runtime and persistent changes. By default, semanage boolean -m only affects the currently loaded SELinux policy in the kernel. To make the change survive a system reboot, the -P or --persistent option must be used. This writes the new state into the SELinux policy configuration files, which are loaded during boot.

SELinux boolean names often follow a descriptive pattern, frequently starting with 'allow_' (e.g., allow_httpd_anon_write) or describing a specific feature or context (e.g., semanage_enable_account_auth). Reviewing the full list with semanage boolean -L and their descriptions (if available, often via `seinfo -b `) is recommended to understand their purpose.

The semanage utility, of which boolean is a subcommand, was developed as part of the broader SELinux project to provide a higher-level, more intuitive interface for managing SELinux policy components. Prior to semanage, administrators often had to use more granular and complex tools or direct file manipulations. semanage aimed to simplify tasks like managing file contexts, port contexts, and boolean states, abstracting away some of the underlying complexities and promoting best practices for SELinux administration. Its evolution parallels the increasing adoption and maturity of SELinux in enterprise Linux distributions.

semanage(8), setsebool(8), getsebool(8), selinux(8)