SELinux booleans.
Before you write a custom SELinux policy, check if there's already a switch for it. Booleans are named on/off toggles that enable or disable whole pre-written chunks of policy β like 'let Apache talk to the network' β at runtime, no recompile needed.
SELinux booleans animated tutorial. Runtime policy switches, getsebool, setsebool, persistent changes with -P, semanage boolean -l, common booleans like httpd_can_network_connect, and the denial-troubleshooting workflow. RHCSA EX200 ready.SELinux ships with rules for hundreds of common situations, turned off by default. A boolean is the switch that turns one of those rule sets on β no custom policy required.
- Β·The SELinux contexts lesson (what type enforcement is)
- Β·Comfortable running commands as root / with sudo
- Β·Know that SELinux can block a working-looking service
Read a boolean's state, flip it persistently with setsebool -P, discover the right boolean for a service, and use audit2why to find which one a denial needs.
pace: 8 minutes
httpd_can_network_connectoffhttpd_enable_homedirsoffftpd_anon_writeoffnfs_export_all_rwoffsamba_enable_home_dirsoffA boolean is a switch over pre-written policy
The SELinux policy that ships with RHEL already contains rules for hundreds of common situations β they're just turned OFF by default for safety. A boolean is a named on/off switch that flips one of those rule sets on or off at runtime, no policy recompile, no custom modules. Before writing any custom policy, always ask: is there already a boolean for this?
The SELinux fix hierarchy: boolean β label β custom module, in that order. Most "SELinux is blocking my service" problems are solved by a single setsebool -P. And never forget the -P β a runtime-only flip is a time bomb that detonates at the next reboot.
$getsebool BOOL$getsebool -a$getsebool -a | grep httpd$setsebool BOOL on$setsebool -P BOOL on$semanage boolean -l$semanage boolean -l -C$ausearch -m AVC -ts recent$audit2why -al$httpd_can_network_connect$httpd_enable_homedirs$httpd_can_sendmail$ftpd_anon_write$nfs_export_all_rw$samba_enable_home_dirs$ssh_sysadm_loginApache (httpd) needs to connect to a database on another server, but SELinux is blocking it. What should you try FIRST?
You run `setsebool httpd_can_network_connect on` (no -P) and it works. Three weeks later after a reboot, Apache breaks again. Why?
Which command shows every boolean WITH its current state, default state, and a description?
What's the advantage of a boolean over writing a custom SELinux policy module?
These aren't graded β they're just for active recall, which is what actually makes the lesson stick.
SELinux contexts
Booleans toggle policy; contexts (labels) decide what can touch what. When a boolean isn't the fix, a wrong file label usually is β learn to read and restore them.
keep going β these pair well with what you just learned.
How SSH key auth works
The six-step handshake β key offer, challenge, signature, verification, channel open. Watch an animated client/server diagram light up each arrow.
TLS handshake, deep
Open every TLS 1.3 message β ClientHello, ServerHello, Certificate, CertificateVerify, Finished. Cipher suites, HKDF key derivation, SNI, ALPN, and why TLS 1.3 has built-in perfect forward secrecy.