When using sesearch to query for booleans and their effect on the policy, the output of sesearch remains static although this should depend on the state of the boolean. It seems that it is only the output though - the effects themselves are enforced on the system. Reproducible: Always Steps to Reproduce: www1 ~ # id -Z root:sysadm_r:sysadm_t www1 ~ # getsebool httpd_use_nfs httpd_use_nfs --> off www1 ~ # sesearch -SCT --allow -s httpd_t -t nfs_t -c file -p read Found 2 semantic av rules: DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ] DT allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ] www1 ~ # setsebool -P httpd_use_nfs on www1 ~ # sesearch -SCT --allow -s httpd_t -t nfs_t -c file -p read Found 2 semantic av rules: DT allow httpd_t nfs_t : file { read getattr execute open } ; [ httpd_enable_cgi httpd_use_nfs && ] DT allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ] Actual Results: Flag "DT" remains Expected Results: Flag "DT" should become "ET" D = Disabled (rule) E = Enabled (rule)
Used packages: app-admin/setools-3.3.7 sys-libs/libselinux-2.0.94 sys-apps/policycoreutils-2.0.82-r2 sys-libs/libsemanage-2.0.45-r1 Also confirmed with policycoreutils-2.0.82 and libsemanage-2.0.45 (vanilla ones) to make sure the changes introduced by gentoo since aren't the cause.
It may be correct. What is the status of the httpd_enable_cgi and httpd_enable_homedirs Booleans? If those are off, then the sesearch output is still correct.
Oh woo me... You're right. The first tests I did without "-P" on the setsebool and I missed it later.