Manipulating SELinux policies
One of the methods for manipulating SELinux policies is by toggling SELinux Booleans.
An SELinux Boolean is a flag that, when enabled or disabled, changes the active SELinux rules in the policy. Booleans are used by policy writers to make conditional rules which can then be triggered by administrators to enable or disable additional access controls.
For instance, a Boolean called httpd_can_sendmail enables additional SELinux rules to allow web servers to send mail. The web servers are then allowed to execute sendmail-like applications or connect to SMTP and POP ports. If the Boolean is disabled, the web server does not have these privileges.
Overview of SELinux Booleans
An overview of SELinux Booleans can be obtained using the semanage command with the boolean option. On a regular system, we can easily find over a hundred SELinux Booleans, so it is necessary to filter out the description of the Boolean we need:
# semanage boolean -l | grep httpd_can_sendmail httpd_can_sendmail...
