How to Enable or Disable SELinux Boolean Values

Security-Enhanced Linux (SELinux) is a security mechanism for mandatory access control (MAC) implemented in the Linux kernel. It is a flexible operation designed to boost overall system security: it enables access controls imposed using a policy loaded on the system which may not be changed by normal users or misbehaving programs.

The following article clearly explains about SELinux and how to implement it in your Linux system.

  1. Implementing Mandatory Access Control with SELinux or AppArmor in Linux

In this article, we will show you how to turn on or off SELinux boolean values in CentOS, RHEL and Fedora Linux distributions.

To view all SELinux booleans, use the getsebool command together with less command.

Note: SELinux must be in enabled state to list all booleans.

# getsebool -a | less
Check SELinux Boolean Values

Check SELinux Boolean Values

To view all boolean values for a specific program (or daemon), use the grep utility, the following command shows you all httpd booleans.

# getsebool -a | grep httpd
Check HTTP SELinux Boolean Values

Check HTTP SELinux Boolean Values

To turn on (1) or off (0) SELinux booleans, you can use setsebool program as described below.

Enable or Disable SELinux Boolean Values

If you have a web server installed on your system, you can permit HTTPD scripts to write files in directories labeled public_content_rw_t by enabling the allow_httpd_sys_script_anon_write boolean.

# getsebool allow_httpd_sys_script_anon_write 
# setsebool allow_httpd_sys_script_anon_write on
OR
# setsebool allow_httpd_sys_script_anon_write 1
SELinux Allow Write Access to HTTP Files

SELinux Allow Write Access to HTTP Files

Similarly, to disable or turn off above SELinux boolean value, run the following command.

# setsebool allow_httpd_sys_script_anon_write off
# setsebool allow_mount_anyfile off
OR
# setsebool allow_httpd_sys_script_anon_write  0
# setsebool allow_mount_anyfile  0

You can find the meaning of all the SELinux booleans at https://wiki.centos.org/TipsAndTricks/SelinuxBooleans

Don’t forget to read these following security related articles.

  1. How to Disable SELinux Temporarily or Permanently in RHEL/CentOS
  2. Mandatory Access Control Essentials with SELinux
  3. The Mega Guide to Hardening and Securing CentOS 7

In this article, we have explained how to enable or disable SELinux boolean values in CentOS, RHEL and Fedora distributions. If you have any questions, do ask via the comment from below.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

5 Responses

  1. Manoj says:

    Hi,

    I set setsebool httpd_can_network_connect on and httpd_can_network_connect_db on. But after reboot, the setting rolls back to off.

    is there an argument to permanently set setsebool.

  2. JK says:

    What is the risk if we set httpd can network connect to on

Leave a Reply to Ravi Saive Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.