Offline setting an SELinux boolean

I had an issue with an SELinux boolean, allow_ypbind that is wrongly set at 0 when starting my embedded Linux distro.

I know that at runtime I may run a setsebool command to set it to 1.

I need to configure my yocto distribution correctly and I may not be able to launch the setsebool command on the fly on my final distribution.

Thus I need to set this SELinux boolean offline (before the first boot): is there any configuration file that I may modify to start with allow_ypbind=1 without the need to manually launch a command at runtime?

I guess you'd have to set the boolean in policy before the policy is compiled and installed to the image because the boolean in your case is actually a built-time tunable.

In OpenWrt the SELinux policy is also "immutable at runtime" due to device constraints. There you would basically do the same and fork the policy, edit the default conditional value, compile and install [1]. There is even an example in the Makefile for this:

https://github.com/DefenSec/selinux-...X/Makefile#L37

However, that SELinux policy is not "refpolicy" based and so even though the main concept applies, the implementation would be different for you.

Alternatively you can, even if you choose not to install `setsebool` change the boolean value in memory only by using the SELinux apifs directly:

```
root@myguest1:~# cat /sys/fs/selinux/booleans/systemdnspawn_bind_user
0 0root@myguest1:~#
root@myguest1:~# echo 1 > /sys/fs/selinux/booleans/systemdnspawn_bind_user
root@myguest1:~#
root@myguest1:~# cat /sys/fs/selinux/booleans/systemdnspawn_bind_user
0 1root@myguest1:~#
root@myguest1:~# echo 1 > /sys/fs/selinux/commit_pending_bools
root@myguest1:~# cat /sys/fs/selinux/booleans/systemdnspawn_bind_user
1 1root@myguest1:~#
```

Note the 0 0, 0 1 and 1 1 values where the first value is the actual value and the second value is the pending value.

[1] https://github.com/doverride/openwrt...ster/README.md