Conditional statements allow you to create policy rules that can be enabled or disabled by changing Boolean variable values on a running system. Rules that are not within a conditional statement (typically the vast majority of rules in a system) are unconditional and always enabled.
Boolean variables are defined in the policy using the bool statement, along with the default value for each Boolean.
All defined Booleans in the running policy also have filenames in the selinux filesystem, usually mounted at /selinux/booleans/. These files indicate the current and pending value for each Boolean. To change the current value of a Boolean, you would write the new value (1 or 0) into this file and then make the change effective by writing a 1 to the file /selinux/commit_pending_bools. The commands getsebool and setsebool provide a convenient and stable way for changing these values without remembering the various filenames.
Booleans support a persistent value that will override the default value in the policy on a reboot. The persistent value allows you to change the effective default value without having to modifying the policy itself. The easiest way to make a persistent change to a Boolean value is to use the setsebool -P command.
The conditional statement (if) allows you to express a logical conditional expression using a defined Boolean variable and a true and optional false list of rules. These rules will be enabled/disabled by the kernel depending on the value of the conditional expression, which in turn depends on the current values of the Booleans the expression contains.
The only statements currently supported in a conditional statement true/false list are allow, auditallow, dontaudit, type_transition, and type_change.
At present, you cannot nest conditional statements. This limitation is likely to change in the near future.