Security-Enhanced Linux (SELinux) is a security mechanism for mandatory access control (MAC) implemented in the Linux kernel. It is a flexible operation designed to boost overall system security: it enables access controls imposed using a policy loaded on the system which may not be changed by normal users or misbehaving programs.
The following article clearly explains about SELinux and how to implement it in your Linux system.
In this article, we will show you how to turn on or off SELinux boolean values in CentOS, RHEL and Fedora Linux distributions.
To view all SELinux booleans, use the getsebool command together with less command.
Note: SELinux must be in enabled state to list all booleans.
# getsebool -a | less
To view all boolean values for a specific program (or daemon), use the grep utility, the following command shows you all httpd booleans.
# getsebool -a | grep httpd
To turn on
(1) or off
(0) SELinux booleans, you can use setsebool program as described below.
Enable or Disable SELinux Boolean Values
If you have a web server installed on your system, you can permit HTTPD scripts to write files in directories labeled
public_content_rw_t by enabling the
# getsebool allow_httpd_sys_script_anon_write # setsebool allow_httpd_sys_script_anon_write on OR # setsebool allow_httpd_sys_script_anon_write 1
Similarly, to disable or turn off above SELinux boolean value, run the following command.
# setsebool allow_httpd_sys_script_anon_write off # setsebool allow_mount_anyfile off OR # setsebool allow_httpd_sys_script_anon_write 0 # setsebool allow_mount_anyfile 0
You can find the meaning of all the SELinux booleans at https://wiki.centos.org/TipsAndTricks/SelinuxBooleans
Don’t forget to read these following security related articles.
- How to Disable SELinux Temporarily or Permanently in RHEL/CentOS
- Mandatory Access Control Essentials with SELinux
- The Mega Guide to Hardening and Securing CentOS 7
In this article, we have explained how to enable or disable SELinux boolean values in CentOS, RHEL and Fedora distributions. If you have any questions, do ask via the comment from below.
6 thoughts on “How to Enable or Disable SELinux Boolean Values”
Hi, I cannot connect via ssh to my machine after enabling SELinux to enforce mode.
I have tried the touch /.autorelabel but no luck.
In getsebool – all the booleans are on…
Please help me here.
I set setsebool httpd_can_network_connect on and httpd_can_network_connect_db on. But after reboot, the setting rolls back to off.
is there an argument to permanently set setsebool.
"-P"switch for persistent/permanent change. like,
setsebool -P httpd_can_network_connect on.
Thanks a lot. Now im out of the issue.
What is the risk if we set httpd can network connect to on
If you set correct SELinux boolean value on HTTPD, then no issues at all..