Customizing SELinux Policies

This task shows you how to customize an SELinux policy by turning features on or off using Boolean values. Any changes that you make are effective immediately.

• To display the Boolean values and their descriptions, use the following command:

  sudo semanage boolean -l

  SELinux boolean                State  Default Description
  
  abrt_anon_write                (off  ,  off)  Allow abrt to anon write
  abrt_handle_event              (on   ,   on)  Allow abrt to handle event
  abrt_upload_watch_anon_write   (on   ,   on)  Allow abrt to upload watch anon write
  auditadm_exec_content          (on   ,   on)  Allow auditadm to exec content
  ...

• You can use the getsebool and setsebool commands to display and set the value of a specific Boolean.

  getsebool boolean
  sudo setsebool boolean on|off

  The following example shows how you to display and set the value of the abrt_anon_write Boolean:

  getsebool abrt_anon_write
  abrt_anon_write --> off
  sudo setsebool abrt_anon_write on
  getsebool abrt_anon_write
  abrt_anon_write --> on

• To persist the new Boolean value across reboots, specify the -P option to setsebool, for example:

  sudo setsebool -P abrt_anon_write on
  getsebool abrt_anon_write
  ftp_home_dir --> on