Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy.
10.4.5.1. Listing Booleans
For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the semanage boolean -l
command as the Linux root user. The following example does not list all Booleans and the output is shortened for brevity:
~]#
semanage boolean -l
SELinux boolean State Default Description
ftp_home_dir (off , off) Determine whether ftpd can read...
smartmon_3ware (off , off) Determine whether smartmon can...
mpd_enable_homedirs (off , off) Determine whether mpd can traverse...
The SELinux boolean
column lists Boolean names. The Description
column lists whether the Booleans are on or off, and what they do.
In the following example, the ftp_home_dir
Boolean is off, preventing the FTP daemon (vsftpd
) from reading and writing to files in user home directories:
ftp_home_dir (off , off) Determine whether ftpd can read...
The getsebool -a
command lists Booleans, whether they are on or off, but does not give a description of each one. The following example does not list all Booleans:
~]$
getsebool -a
cvs_read_shadow --> off
daemons_dump_core --> on
ftp_home_dir --> off
Run the getsebool boolean-name
command to only list the status of the boolean-name Boolean:
~]$
getsebool cvs_read_shadow
cvs_read_shadow --> off
Use a space-separated list to list multiple Booleans:
~]$
getsebool cvs_read_shadow daemons_dump_core ftp_home_dir
cvs_read_shadow --> off
daemons_dump_core --> on
ftp_home_dir --> off