SELinux Booleans Reset on Reboot

The SELinux Booleans
httpd_can_network_connect_db
and
httpd_can_sendmail
get reset to off on reboot
We have to set it on every time manually.
How do we set this value permanently?
We do not recollect having this problem in CentOS 8.
Kindly give a fix.
The above is the case in Bare Metal and Virtualbox VMs.

How do you set them? Semanage?

No.

setsebool httpd_can_sendmail=1
setsebool httpd_can_network_connect_db=1

man setsebool writes:

SYNOPSIS
setsebool [ -PNV ] boolean value | bool1=val1 bool2=val2 …

DESCRIPTION
setsebool sets the current state of a particular SELinux boolean or a list of booleans to a given value.
The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.

Without the -P option, only the current boolean value is affected; the boot-time default settings are not changed.

If the -P option is given, all pending values are written to the policy file on disk. So they will be persistent across reboots.

Thanks
However, We did not have to do this in CentOS 8.
The issue started after the update to Rocky.
Maybe some service or script did something?
Anyway, We shall try your pointer.

So you’re saying if I download and install https://vault.centos.org/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso, set some SELinux booleans without -P & reboot - they will stay?

I’m tempted to try - but I really think you’re mistaken.

Using RHEL7 and RHEL8, I’ve never had to use -P and didn’t know about it.

Just tested this on RHEL7:

[root@rhel7 ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

[root@rhel7 ~]# setsebool httpd_can_network_connect_db 1

[root@rhel7 ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on

[root@rhel7 ~]# reboot
Connection to rhel7 closed by remote host.
Connection to rhel7 closed.

[root@rhel7 ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

and also on RHEL8:

[root@rhel8 ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

[root@rhel8 ~]# setsebool httpd_can_network_connect_db 1

[root@rhel8 ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on

[root@rhel8 ~]# reboot
Connection to rhel8 closed by remote host.
Connection to rhel8 closed.

[root@rhel8 ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

If using setsebool, the -P parameter must be used. If -P wasn’t used, then another command must have been used. Although would be possible if setsebool was aliased, for example:

[root@rhel8 ~]# alias setsebool="setsebool -P"

[root@rhel8 ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

[root@rhel8 ~]# setsebool httpd_can_network_connect_db 1

[root@rhel8 ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on

[root@rhel8 ~]# reboot
Connection to rhel8 closed by remote host.
Connection to rhel8 closed.

[ian@elise ~]$ ssh rhel8
Last login: Tue Feb  1 20:07:58 2022 from 10.10.11.117

[root@rhel8 ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on

note, when I ran the setsebool command to change the httpd_can_connect_db there was no -P parameter used, however, the alias command created meant I didn’t need to write it. But since this doesn’t exist by default in RHEL7 or RHEL8, it would require someone to create that. This also applies to any distros based on RHEL7/RHEL8, so in summary, the -P parameter is required for it to be persistent over reboots.

Sorry, this was completely wrong. After logging into the RHEL environment, the command I’d been using for RHEL7 and RHEL8 was
setsebool -P httpd_can_network_connect on
and I was just coping it into the terminal without noticing it had the -P in it.

One other thing in my notes; it says you don’t need ‘httpd_can_network_connect_db’, if you have ‘httpd_can_network_connect’.

The values were set on provisioning CentOS 8 time using semanage I as far as I remember.
We never had it reapply after that.
The upgrade to Rocky probably reset the value, and we had to use the setsebool -P to set it again.
Thanks for the replies.

Yup, the httpd_can_network_connect will be more generalised and allow any kind of connectivity, whereas the httpd_can_network_connect_db will only allow access to databases and no other type of network connect.

Regarding using ‘httpd_can_network_connect’, many web apps have http client style connections; things like checking for updates, connecting to REST api, and so on.