Product SiteDocumentation Site

3.3. Booleans

SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.
To modify the state of a Boolean, use the setsebool command. For example, to turn the allow_httpd_anon_write Boolean on, run the following command as the root user:
# setsebool -P allow_httpd_anon_write on
To turn a Boolean off, using the same example, simply change on to off in the command, as shown below:
# setsebool -P allow_httpd_anon_write off

Note

Do not use the -P option if you do not want setsebool changes to persist across reboots.
Below is a description of common Booleans available that cater for the way httpd is running:
allow_httpd_anon_write
When disabled, this Boolean allows httpd to only have read access to files labeled with the public_content_rw_t type. Enabling this Boolean will allow httpd to write to files labeled with the public_content_rw_t type, such as a public directory containing files for a public file transfer service.
allow_httpd_mod_auth_ntlm_winbind
Enabling this Boolean allows access to NTLM and Winbind authentication mechanisms via the mod_auth_ntlm_winbind module in httpd.
allow_httpd_mod_auth_pam
Enabling this Boolean allows access to PAM authentication mechanisms via the mod_auth_pam module in httpd.
allow_httpd_sys_script_anon_write
This Boolean defines whether or not HTTP scripts are allowed write access to files labeled with the public_content_rw_t type, as used in a public file transfer service.
httpd_builtin_scripting
This Boolean defines access to httpd scripting. Having this Boolean enabled is often required for PHP content.
httpd_can_network_connect
When disabled, this Boolean prevents HTTP scripts and modules from initiating a connection to a network or remote port. Turn this Boolean on to allow this access.
httpd_can_network_connect_db
When disabled, this Boolean prevents HTTP scripts and modules from initiating a connection to database servers. Turn this Boolean on to allow this access.
httpd_can_network_relay
Turn this Boolean on when httpd is being used as a forward or reverse proxy.
httpd_can_sendmail
When disabled, this Boolean prevents HTTP modules from sending mail. This can prevent spam attacks should a vulnerability be found in httpd. Turn this Boolean on to allow HTTP modules to send mail.
httpd_dbus_avahi
When off, this Boolean denies httpd access to the avahi service via D-Bus. Turn this Boolean on to allow this access.
httpd_enable_cgi
When disabled, this Boolean prevents httpd from executing CGI scripts. Turn this Boolean on to allow httpd to execute CGI scripts (CGI scripts must be labeled with the httpd_sys_script_exec_t type).
httpd_enable_ftp_server
Turning this Boolean on will allow httpd to listen on the FTP port and act as an FTP server.
httpd_enable_homedirs
When disabled, this Boolean prevents httpd from accessing user home directories. Turn this Boolean on to allow httpd access to user home directories; for example, content in /home/*/.
httpd_execmem
When enabled, this Boolean allows httpd to execute programs that require memory addresses that are both executable and writeable. Enabling this Boolean is not recommended from a security standpoint as it reduces protection against buffer overflows, however certain modules and applications (such as Java and Mono applications) require this privilege.
httpd_ssi_exec
This Boolean defines whether or not server side include (SSI) elements in a web page can be executed.
httpd_tty_comm
This Boolean defines whether or not httpd is allowed access to the controlling terminal. Usually this access is not required, however in cases such as configuring an SSL certificate file, terminal access is required to display and process a password prompt.
httpd_unified
When enabled, this Boolean allows httpd_t complete access to all of the httpd types (i.e. to execute, read, or write sys_content_t). When disabled, there is separation in place between web content that is read-only, writeable or executable. Disabling this Boolean ensures an extra level of security but adds the administrative overhead of having to individually label scripts and other web content based on the file access that each should have.
httpd_use_cifs
Turn this Boolean on to allow httpd access to files on CIFS file systems that are labeled with the cifs_t type, such as file systems mounted via Samba.
httpd_use_nfs
Turn this Boolean on to allow httpd access to files on NFS file systems that are labeled with the nfs_t type, such as file systems mounted via NFS.