# Use boolean settings to modify system SELinux settings

Security Enhanced Linux (SELinux) is a form of Mandatory Access Control
(MAC) to help Linux systems enforce file and process permissions. It\'s
a default subsystem on RHEL, CentOS, Fedora, and many other Linux
distributions. SELinux is built around the concept of security *labels*
and *types*. When a file is given an SELinux label of one type, then a
process bearing a label of a different type cannot interact with it,
even though the file\'s permissions on disk might be as permissive as
777. SELinux uses *policies* to decide what labels and types are
compatible with one another. For instance, if your system has the
default policy that disallows an HTTP daemon to interact with users\'
home directories, then user home directories are essentially untouchable
by httpd even though you may have a config file saying otherwise.
There\'s considerable work put into SELinux policies by the time you
install a system, but you can control policy decisions through SELinux
booleans.

## List booleans with semanage

The \`semanage\` command is a SELinux policy management tool. One way it
can be used is to view available boolean options:

    $ sudo semanage boolean --list | head
    SELinux boolean                State  Default
    abrt_anon_write                (off  ,  off)
    abrt_handle_event              (off  ,  off)
    abrt_upload_watch_anon_write   (on   ,   on)
    antivirus_can_scan_system      (off  ,  off)
    antivirus_use_jit              (off  ,  off)
    auditadm_exec_content          (on   ,   on)
    authlogin_nsswitch_use_ldap    (off  ,  off)
    authlogin_radius               (off  ,  off)
    [...]

If you\'ve changed any booleans, you can view your custom settings with
the \`\--locallist\` or \`-C\` option:

    $ sudo semanage boolean -l -C
    SELinux boolean                State  Default
    virt_sandbox_use_all_caps      (on   ,   on)
    virt_use_nfs                   (on   ,   on)
    zebra_write_config             (on   ,   on)

## When to use a boolean

The most common way to find out that a boolean has been designed to
prevent an interaction is with SELinux Troubleshooter. When SELinux
registers an attempted violation of a policy, it logs the decision as an
Access Vector Cache (AVC). The troubleshooter app spawns desktop
notifications any time there\'s an AVC denial so you can review the
decision and override or report it as appropriate.

That\'s the main way you\'re alerted of SELinux activity, and many times
it\'s the way you solve an issue for good.

INSERT IMAGE selinux-troubleshooter.png

In the example of an NGINX web server attempting to access a home
directory, SELinux Troubleshooter suggests that you enable the
`httpd_enable_homedirs` boolean. It even gives you a command you can
use.

Should SELinux Troubleshooter fail to notify you about a denial, or you
don\'t have it installed, you may nevertheless be able to look through
available booleans and find the one that makes sense for you to activate
or deactivate. Most booleans are named in the interest of clarity. If
you\'re diagnosing an error with NFS, for instance, then you can list
booleans, grep for \"nfs\", and you\'ll likely find the boolean you\'re
looking for.

## Set a boolean with semanage or setsebool

To modify an SELinux boolean, you can use the `--modify` option along
with either `--on` or `--off`. For instance, here\'s how to modify the
\`httpd_allow_homedirs\` boolean:

    $ sudo semanage boolean --modify --on http_allow_homedirs

If you prefer, you can use `setsebool`, which arguably has simpler
syntax:

` $ sudo setsebool -P httpd_enable_homedirs 1 `

The `setsebool` command is a tool for quickly and easily setting SELinux
booleans. The `-P` option makes your decision persistent across reboots,
and the `1` makes the boolean *true*.

## SELinux booleans in the file system

All SELinux boolean values are viewable as a file in your file system.
They\'re expressed as files in the `/sys/fs/selinux/booleans` directory.

    $ cat /sys/fs/selinux/booleans/httpd_use_nfs 
    0 0
    $ cat /sys/fs/selinux/booleans/httpd_enable_homedirs
    1 1 

## SELinux booleans

SELinux booleans allow you to control specific attributes of SELinux
policies. Change them thoughtfully, and because you understand why you
want to override them. Policies exist with good reason, but you also
have control over them because you\'re the expert on your own system.
Using `semanage`, `setsebool`, and SELinux Troubleshooter, you can make
intelligent and quick decisions about what files and processes are
alloweed to interact.