13.3. Booleans
SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you need to specify how you run your services. This can be achieved using Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy.
To modify the state of a Boolean, use the
setsebool
command. For example, to enable the httpd_anon_write
Boolean, enter the following command as the root user:
~]# setsebool -P httpd_anon_write on
To disable a Boolean, using the same example, simply change
on
to off
in the command, as shown below:
~]# setsebool -P httpd_anon_write off
Note
Do not use the
-P
option if you do not want setsebool
changes to persist across reboots.
Below is a description of common Booleans available that cater for the way
httpd
is running:
httpd_anon_write
- When disabled, this Boolean allows
httpd
to only have read access to files labeled with thepublic_content_rw_t
type. Enabling this Boolean allowshttpd
to write to files labeled with thepublic_content_rw_t
type, such as a public directory containing files for a public file transfer service. httpd_mod_auth_ntlm_winbind
- Enabling this Boolean allows access to NTLM and Winbind authentication mechanisms using the
mod_auth_ntlm_winbind
module inhttpd
. httpd_mod_auth_pam
- Enabling this Boolean allows access to PAM authentication mechanisms using the
mod_auth_pam
module inhttpd
. httpd_sys_script_anon_write
- This Boolean defines whether or not HTTP scripts are allowed write access to files labeled with the
public_content_rw_t
type, as used in a public file transfer service. httpd_builtin_scripting
- This Boolean defines access to
httpd
scripting. Having this Boolean enabled is often required for PHP content. httpd_can_network_connect
- When disabled, this Boolean prevents HTTP scripts and modules from initiating a connection to a network or remote port. Enable this Boolean to allow this access.
httpd_can_network_connect_db
- When disabled, this Boolean prevents HTTP scripts and modules from initiating a connection to database servers. Enable this Boolean to allow this access.
httpd_can_network_relay
- Enable this Boolean when
httpd
is being used as a forward or reverse proxy. httpd_can_sendmail
- When disabled, this Boolean prevents HTTP modules from sending mail. This can prevent spam attacks should a vulnerability be found in
httpd
. Enable this Boolean to allow HTTP modules to send mail. httpd_dbus_avahi
- When disabled, this Boolean denies
httpd
access to theavahi
service throughD-Bus
. Enable this Boolean to allow this access. httpd_enable_cgi
- When disabled, this Boolean prevents
httpd
from executing CGI scripts. Enable this Boolean to allowhttpd
to execute CGI scripts (CGI scripts must be labeled with thehttpd_sys_script_exec_t
type). httpd_enable_ftp_server
- Enabling this Boolean allows
httpd
to listen on the FTP port and act as an FTP server. httpd_enable_homedirs
- When disabled, this Boolean prevents
httpd
from accessing user home directories. Enable this Boolean to allowhttpd
access to user home directories; for example, content in/home/*/
. httpd_execmem
- When enabled, this Boolean allows
httpd
to execute programs that require memory addresses that are both executable and writable. Enabling this Boolean is not recommended from a security standpoint as it reduces protection against buffer overflows, however certain modules and applications (such as Java and Mono applications) require this privilege. httpd_ssi_exec
- This Boolean defines whether or not server side include (SSI) elements in a web page can be executed.
httpd_tty_comm
- This Boolean defines whether or not
httpd
is allowed access to the controlling terminal. Usually this access is not required, however in cases such as configuring an SSL certificate file, terminal access is required to display and process a password prompt. httpd_unified
- When enabled, this Boolean allows
httpd_t
complete access to all of thehttpd
types (that is to execute, read, or write sys_content_t). When disabled, there is separation in place between web content that is read-only, writable, or executable. Disabling this Boolean ensures an extra level of security but adds the administrative overhead of having to individually label scripts and other web content based on the file access that each should have. httpd_use_cifs
- Enable this Boolean to allow
httpd
access to files on CIFS volumes that are labeled with thecifs_t
type, such as file systems mounted using Samba. httpd_use_nfs
- Enable this Boolean to allow
httpd
access to files on NFS volumes that are labeled with thenfs_t
type, such as file systems mounted using NFS.
Note
Due to the continuous development of the SELinux policy, the list above might not contain all Booleans related to the service at all times. To list them, enter the following command:
~]$ getsebool -a | grep service_name
Enter the following command to view description of a particular Boolean:
~]$ sepolicy booleans -b boolean_name
Note that the additional policycoreutils-devel package providing the sepolicy
utility is required for this command to work.