How to Enable or Disable SELinux Boolean Values

Security-Enhanced Linux (SELinux) is a security mechanism for mandatory access control (MAC) implemented in the Linux kernel. It is a flexible operation designed to boost overall system security: it enables access controls imposed using a policy loaded on the system which may not be changed by normal users or misbehaving programs.

The following article clearly explains about SELinux and how to implement it in your Linux system.

  1. Implementing Mandatory Access Control with SELinux or AppArmor in Linux

In this article, we will show you how to turn on or off SELinux boolean values in CentOS, RHEL and Fedora Linux distributions.

To view all SELinux booleans, use the getsebool command together with less command.

Note: SELinux must be in enabled state to list all booleans.

# getsebool -a | less
Check SELinux Boolean Values
Check SELinux Boolean Values

To view all boolean values for a specific program (or daemon), use the grep utility, the following command shows you all httpd booleans.

# getsebool -a | grep httpd
Check HTTP SELinux Boolean Values
Check HTTP SELinux Boolean Values

To turn on (1) or off (0) SELinux booleans, you can use setsebool program as described below.

Enable or Disable SELinux Boolean Values

If you have a web server installed on your system, you can permit HTTPD scripts to write files in directories labeled public_content_rw_t by enabling the allow_httpd_sys_script_anon_write boolean.

# getsebool allow_httpd_sys_script_anon_write 
# setsebool allow_httpd_sys_script_anon_write on
OR
# setsebool allow_httpd_sys_script_anon_write 1
SELinux Allow Write Access to HTTP Files
SELinux Allow Write Access to HTTP Files

Similarly, to disable or turn off above SELinux boolean value, run the following command.

# setsebool allow_httpd_sys_script_anon_write off
# setsebool allow_mount_anyfile off
OR
# setsebool allow_httpd_sys_script_anon_write  0
# setsebool allow_mount_anyfile  0

You can find the meaning of all the SELinux booleans at https://wiki.centos.org/TipsAndTricks/SelinuxBooleans

Don’t forget to read these following security related articles.

  1. How to Disable SELinux Temporarily or Permanently in RHEL/CentOS
  2. Mandatory Access Control Essentials with SELinux
  3. The Mega Guide to Hardening and Securing CentOS 7

In this article, we have explained how to enable or disable SELinux boolean values in CentOS, RHEL and Fedora distributions. If you have any questions, do ask via the comment from below.

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

6 thoughts on “How to Enable or Disable SELinux Boolean Values”

  1. Hi, I cannot connect via ssh to my machine after enabling SELinux to enforce mode.

    I have tried the touch /.autorelabel but no luck.

    In getsebool – all the booleans are on…

    Please help me here.

    Reply
  2. Hi,

    I set setsebool httpd_can_network_connect on and httpd_can_network_connect_db on. But after reboot, the setting rolls back to off.

    is there an argument to permanently set setsebool.

    Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.