setsebool
command. For example, to turn the allow_httpd_anon_write
Boolean on, run the following command as the root user:
# setsebool -P allow_httpd_anon_write on
on
to off
in the command, as shown below:
# setsebool -P allow_httpd_anon_write off
Note
-P
option if you do not want setsebool
changes to persist across reboots.
httpd
is running:
allow_httpd_anon_write
httpd
only read access to files labeled with the public_content_rw_t
type. Enabling this Boolean will allow httpd
to write to files labeled with the public_content_rw_t
type, such as a public directory containing files for a public file transfer service.
allow_httpd_mod_auth_ntlm_winbind
mod_auth_ntlm_winbind
module in httpd
.
allow_httpd_mod_auth_pam
mod_auth_pam
module in httpd
.
allow_httpd_sys_script_anon_write
public_content_rw_t
type, as used in a public file transfer service.
httpd_builtin_scripting
httpd
scripting. Having this Boolean enabled is often required for PHP content.
httpd_can_network_connect
httpd_can_network_connect_db
httpd_can_network_relay
httpd
is being used as a forward or reverse proxy.
httpd_can_sendmail
httpd
. Turn this Boolean on to allow HTTP modules to send mail.
httpd_dbus_avahi
httpd
access to the avahi
service via D-Bus
. Turn this Boolean on to allow this access.
httpd_enable_cgi
httpd
from executing CGI scripts. Turn this Boolean on to allow httpd
to execute CGI scripts (CGI scripts must be labeled with the httpd_sys_script_exec_t
type).
httpd_enable_ftp_server
httpd
to listen on the FTP port and act as an FTP server.
httpd_enable_homedirs
httpd
from accessing user home directories. Turn this Boolean on to allow httpd
access to user home directories; for example, content in /home/*/
.
httpd_execmem
httpd
to execute programs that require memory addresses that are both executable and writeable. Enabling this Boolean is not recommended from a security standpoint as it reduces protection against buffer overflows, however certain modules and applications (such as Java and Mono applications) require this privilege.
httpd_ssi_exec
httpd_tmp_exec
httpd
to execute files in temporary directories.
httpd_tty_comm
httpd
is allowed access to the controlling terminal. Usually this access is not required, however in cases such as configuring an SSL certificate file, terminal access is required to display and process a password prompt.
httpd_unified
httpd_t
complete access to all of the httpd
types (i.e. to execute, read, or write sys_content_t). When disabled, there is separation in place between web content that is read-only, writeable or executable. Disabling this Boolean ensures an extra level of security but adds the administrative overhead of having to individually label scripts and other web content based on the file access that each should have.
httpd_use_cifs
httpd
access to files on CIFS file systems that are labeled with the cifs_t
type, such as file systems mounted via Samba.
httpd_use_gpg
httpd
to make use of GPG encryption.
httpd_use_nfs
httpd
access to files on NFS file systems that are labeled with the nfs_t
type, such as file systems mounted via NFS.