setsebool

Show the current setting of [a]ll booleans

$ getsebool -a

$ sudo setsebool [httpd_can_network_connect] [1|true|on|0|false|off]

$ sudo setsebool -P [container_use_devices] [1|true|on|0|false|off]

$ sudo setsebool -P [ftpd_use_fusefs=1 mount_anyfile=0 ...]

$ sudo semanage boolean [[-m|--modify]] [-1|--on|-0|--off] [haproxy_connect_any]

setsebool [-P] [-N] boolean {on | off}
setsebool [-P] [-N] boolean1=value1 [boolean2=value2 ...]
setsebool [-hV]

boolean
    The name of the SELinux boolean to modify.

{on | off}
    The desired state for the boolean: 'on' (true) or 'off' (false).

boolean=value
    An alternative syntax for specifying a boolean and its value, particularly useful when setting multiple booleans at once (e.g., 'httpd_can_network_connect=on ftpd_full_access=off').

-P, --persistent
    Makes the boolean change permanent across system reboots. Without this option, the change is only effective until the next reboot.

-N, --noninteractive
    Disables interactive prompts and warnings, such as when a specified boolean does not exist.

-h, --help
    Displays a brief help message and exits.

-V, --version
    Displays version information and exits.

setsebool is a command-line utility used to manage SELinux booleans.
SELinux booleans are true/false switches within the SELinux policy that allow administrators to enable or disable specific security behaviors without having to load an entirely new policy.
This provides flexibility in configuring SELinux to meet varying security requirements or application needs.
The setsebool command can set these booleans either temporarily (for the current runtime session) or persistently (so the setting survives system reboots).
It's an essential tool for fine-tuning SELinux enforcement for services and users, ensuring that applications have the necessary permissions while maintaining a secure posture.

Requires root privileges to execute.
Changes made without the -P (--persistent) option are temporary and will revert to their default or last persistent state upon the next system reboot.
Care must be taken when setting booleans, as an incorrect setting might inadvertently weaken the system's security posture or interfere with legitimate application functionality.
Always verify the current state and intended effect of a boolean before making changes. Use commands like getsebool -a or semanage boolean -l to list available booleans and their descriptions.

To view all available SELinux booleans and their current states, use the command:
getsebool -a
For more detailed descriptions of each boolean, you can use:
semanage boolean -l

Many SELinux booleans are named intuitively, indicating the service or functionality they control.
For example, to allow the Apache HTTP server to make network connections (e.g., to a backend database), you might use:
setsebool -P httpd_can_network_connect on
Another common use case is enabling FTP access for home directories:
setsebool -P ftpd_full_access on

The setsebool command is an integral part of the SELinux userspace utilities, which emerged from the SELinux project initially developed by the National Security Agency (NSA) and later adopted and integrated into mainstream Linux distributions like Fedora and Red Hat Enterprise Linux in the early 2000s.
Its development was driven by the need for a flexible mechanism to adjust SELinux policy behavior dynamically without requiring a full policy rebuild and reload.
Booleans provide a fine-grained control over specific security features, and setsebool has been a core utility for administrators to interact with these policy switches since their inception, facilitating easier management of complex SELinux environments.

getsebool(8), semanage(8), sepolicy(8), restorecon(8)