Question Regarding "semanage boolean":

[mzamenski-devel]

Hello, I am a person who wants to dig deeper in selinux policies. I notice semanage booleans are policies that can be enabled/disabled if I'm right. My question is where are these policies even stored on a typical linux system?
I was going to run a virtual machine and tinker with these policies, but I cannot find the policies in a easy way.
@Firstyear and I were discussing this on some discord server. Thank you!

[bachradsusi]

SELinux notebook - https://github.com/SELinuxProject/selinux-notebook/ - chapter SELinux Configuration Files

[mzamenski-devel]

Thank you. I will close this.

[Firstyear]

I'm not sure that this issue should be closed - the typical administrator or user won't know to find this notebook from their system.

While it's nice to solve one persons question with this answer, the question itself points to a broader user interaction issue. That semanage boolean does not adequately or properly communicate what each boolean does to a user, and a user can't find what those booleans do on their own system in isolation.

I don't think it's reasonable to expect every user to somehow search down this thread or something obscure on a mailing list.

What this issue is showing is that there is a need to improve semanage boolean to communicate better about what a boolean will affect on a system, and that those communications must be localised into the semanage boolean tool itself.

[mzamenski-devel]

I'm not sure that this issue should be closed - the typical administrator or user won't know to find this notebook from their system.

While it's nice to solve one persons question with this answer, the question itself points to a broader user interaction issue. That semanage boolean does not adequately or properly communicate what each boolean does to a user, and a user can't find what those booleans do on their own system in isolation.

I don't think it's reasonable to expect every user to somehow search down this thread or something obscure on a mailing list.

What this issue is showing is that there is a need to improve semanage boolean to communicate better about what a boolean will affect on a system, and that those communications must be localised into the semanage boolean tool itself.

Alright, I shall re-open it. My bad.

[bachradsusi]

What this issue is showing is that there is a need to improve semanage boolean to communicate better about what a boolean will affect on a system, and that those communications must be localised into the semanage boolean tool itself.

There's semanage boolean -l which lists available SELinux booleans, their current state and their description. The description is taken from /usr/share/selinux/devel/policy.xml and if the file does not exist. the description is generated from a boolean name, see https://github.com/SELinuxProject/selinux/blob/main/python/sepolicy/sepolicy/__init__.py#L1233

/usr/share/selinux/devel/policy.xml is generated from SELinux policy source files by https://github.com/SELinuxProject/refpolicy/blob/main/support/sedoctool.py

If Fedora, /usr/share/selinux/devel/policy.xml is provided by selinux-policy-devel package.

Example:

[root@default-0 tree]# semanage boolean -l | grep selinuxuser_rw_noexattrfile
selinuxuser_rw_noexattrfile    (on   ,   on)  Allow selinuxuser to rw noexattrfile

[root@default-0 tree]# dnf install selinux-policy-devel
...

[root@default-0 tree]# semanage boolean -l | grep selinuxuser_rw_noexattrfile
selinuxuser_rw_noexattrfile    (on   ,   on)  Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)

If you find policy booleans descriptions insufficient, please report your issue to your SELinux policy provider.