Differentiating policies based on use cases
As services mature, they often gain more features, which might not always be necessary. For instance, daemons that are able to optionally connect to various network resources depending on their configuration should not be allowed by the SELinux policy to always connect to various network resources.
To govern these features, SELinux policy developers include Booleans to selectively toggle policies based on the administrator's requirements.
How to do it…
Booleans allow policy developers to create policy rules that only participate in access control when the administrator has elected to use them. For services in particular, this is often used to optionally allow privileges based on the use case of the service and is implemented as follows:
Identify the policy blocks that should be marked as optional, depending on the configuration. For instance, this could be a set of policy rules that allow PostgreSQL to connect to other PostgreSQL databases:
corenet_tcp_connect_postgresql_port...