$ man httpd_selinux
To see a list of all the service-specific manpages for SELinux, enter the command:
$ apropos _selinux
In the BOOLEAN section you will find this text:
httpd scripts by default are not allowed to connect out to the network.
This would prevent a hacker from breaking into you httpd server
and attacking other machines. If you need scripts to be able to
connect you can set the httpd_can_network_connect boolean on.
setsebool -P httpd_can_network_connect 1
To translate between the descriptions shown in the graphical Security Level Configuration tool and the boolean names used by setsebool and getsebool , use the file /usr/share/system-config-securitylevel/selinux.tbl , which looks like this:
unlimitedUtils _("Admin") _("Allow privileged utilities like hotplug and insmod to run unconfined.")
unlimitedRC _("Admin") _("Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined.")
unlimitedRPM _("Admin") _("Allow rpm to run unconfined.")
staff_read_sysadm_file _("Admin") _("Allow staff_r users to search the sysadm home dir and read files (such as ~/.bashrc)")
direct_sysadm_daemon _("Admin") _("Allow sysadm_t to directly start daemons")
...(Lines snipped)...
Each line consists of the boolean name used by setsebool / getsebool , followed by the configuration category and the description used by the Security Level Configuration tool.
Use grep with a server name, boolean name, or a description from the configuration tool to quickly find values in this file:
$ cd /usr/share/system-config-securitylevel
$ grep httpd selinux.tbl
httpd_enable_cgi _("HTTPD Service") _("Allow HTTPD cgi support")
httpd_can_network_connect _("HTTPD Service") _("Allow HTTPD scripts and modules to connect to the network.")
httpd_enable_homedirs _("HTTPD Service") _("Allow HTTPD to read home directories")
httpd_ssi_exec _("HTTPD Service") _("Allow HTTPD to run SSI executables in the same domain as system CGI scripts.")
httpd_builtin_scripting _("HTTPD Service") _("Allow HTTPD to support built-in scripting")
httpd_disable_trans _("HTTPD Service") _("Disable SELinux protection for httpd daemon")
httpd_suexec_disable_trans _("HTTPD Service") _("Disable SELinux protection for http suexec")
httpd_unified _("HTTPD Service") _("Unify HTTPD handling of all content files.")
httpd_tty_comm _("HTTPD Service") _("Unify HTTPD to communicate with the terminal. Needed for handling certificates.")
$ grep "Allow ftp to read/write files in the user home directories" selinux.tbl
ftp_home_dir _("FTP") _("Allow ftp to read/write files in the user home directories")
$ grep unlimitedRPM selinux.tbl
unlimitedRPM _("Admin") _("Allow rpm to run unconfined.")
Table 8-1 contains some of the most commonly altered SELinux booleans.
Table 8-1. Commonly altered SELinux booleans
| Boolean name | Description in system-config-securitylevel | Reason for altering | Default value |
|---|---|---|---|
| allow_ptrace | Allow sysadm_t to debug or ptrace applications. | Permit root to use tools such as gdb for debugging. | Off |
| allow_execmod | Allow the use of shared libraries with Text Relocation. | Required to use Adobe Flash browser plug-in and Sun Java. | Off |
| allow_ftp_anon_write | Permits the FTP server to write to files labeled with type public_content_rw_t, described in Table 8-2. | Off | |
| httpd_can_network_connect | Allow httpd scripts and modules to connect to the network. | Enables web scripts to connect to databases and mail servers. | Off |
| httpd_enable_homedirs | Allow httpd to read home directories. | Enables the use of ~/public_html for personal web pages. | Off |
| httpd_tty_comm | Unify httpd to communicate with the terminal. Needed for handling certificates. | Enables the use of certificates with passphrases (requires the passphrase to be entered on the terminal). | Off |
| allow_httpd_anon_write | Permits Apache to write to files labeled with type public_content_rw_t (see Table 8-2). | Off | |
| named_write_master_zones | Allow named to overwrite master zone files. | Required for dhcpd updating of zones. | Off |
| nfs_export_all_ro | Allow reading on any NFS filesystem. | Enables NFS file sharing (read-only). | Off |
| nfs_export_all_rw | Allow read/write/create on any NFS filesystem. | Enables NFS file sharing (read/write). | Off |
| use_nfs_home_dirs | Support NFS home directories. | Allows home directories (such as /home/chris) to be imported from an NFS server. | Off |
| samba_enable_home_dirs | Allow Samba to share users' home directories. | Allows homes shares in smb.conf. | Off |
| use_samba_home_dirs | Allow users to log in with CIFS home directories. | Allows home directories (such as /home/chris) to be imported from a Samba or Windows server. | Off |
| allow_samba_anon_write | Permits Samba to write to files labeled with type public_content_rw_t. | Off | |
| spamassasin_can_network | Allow Spam Assassin daemon network access. | Enables the use of real-time blackhole lists (RBLs) by Spam Assassin. | Off |
| ssh_sysadm_login | Allow SSH logins as sysadm_r:sysadm_t. | Allows root login via SSH (otherwise, you'll need to log in as a regular user and then use su). This may be required if you're running remote backups via SSH. | Off |
| subsystem_disable_trans | Disable SELinux protection for subsystem. | Use this as a last alternative. It's better to disable SELinux protection for one subsystem than to turn it off entirely. | Off |