Difference between revisions of "Redhat: Apache webserver SELinux Booleans"

From Define Wiki
Jump to navigation Jump to search
 
Line 28: Line 28:
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
| allow_httpd_anon_write|| permissions for PHP scripts in httpd_t directories
+
| allow_httpd_anon_write|| allows apache to write new files with public_content_rw_t type
 
|-
 
|-
| allow_httpd_mon_auth_ntlm_winbind || Access from http services to automated IP addresses
+
| allow_httpd_mon_auth_ntlm_winbind || support Microsoft authentication databases
 
|-
 
|-
| allow_httpd_mod_auth_pam || Allows https services to execute CGI scripts
+
| allow_httpd_mod_auth_pam || enables access to PAM authentication
 
|-
 
|-
| allow_httpd_sys_script_anon_write || Enables communication with controlling terminals, eg for SSL
+
| allow_httpd_sys_script_anon_write || configures write access by scripts to files with public_content_rw_t type
 
|-
 
|-
| httpd_can_check_spam|| Full read/write/execute access by all httpd_t files
+
| httpd_can_check_spam|| web based email spam detection
 
|-
 
|-
| httpd_can_network_connect || Allows access from secured guests
+
| httpd_can_network_connect || apache connections to remote ports
 
|-
 
|-
| httpd_can_network_connect_cobbler || permissions for PHP scripts in httpd_t directories
+
| httpd_can_network_connect_cobbler || apache connections to cobbler installation servers
 
|-
 
|-
| httpd_can_network_connect_db || Access from http services to automated IP addresses
+
| httpd_can_network_connect_db || apcahe connections to database servers
 
|-
 
|-
| httpd_can_network_memcache|| Allows https services to execute CGI scripts
+
| httpd_can_network_memcache|| http memory caching for translation servers
 
|-
 
|-
| httpd_can_network_relay|| Enables communication with controlling terminals, eg for SSL
+
| httpd_can_network_relay|| httpd proxy support
 
|-
 
|-
| httpd_can_sendmail || Full read/write/execute access by all httpd_t files
+
| httpd_can_sendmail || allows httpd based email services
 
|-
 
|-
| httpd_enable_homedirs || Allows access from secured guests
+
| httpd_enable_homedirs || https access to home directories
 
|-
 
|-
| httpd_execmem || permissions for PHP scripts in httpd_t directories
+
| httpd_execmem || operation of executable programs requiring access to memory
 
|-
 
|-
| httpd_read_user_content|| Access from http services to automated IP addresses
+
| httpd_read_user_content|| access to scripts from home directories
 
|-
 
|-
| httpd_setrlimit || Allows https services to execute CGI scripts
+
| httpd_setrlimit || apache can modify the max number of file descriptors
 
|-
 
|-
| httpd_ssi_exec || Enables communication with controlling terminals, eg for SSL
+
| httpd_ssi_exec || access to ssi scripts
 
|-
 
|-
| http_tmp_exec || Full read/write/execute access by all httpd_t files
+
| http_tmp_exec || apache access to scripts that require access to /tmp
 
|-
 
|-
| httpd_use_cifs || Allows access from secured guests
+
| httpd_use_cifs || access to samba directories
 
|-
 
|-
| http_use_gpg|| Full read/write/execute access by all httpd_t files
+
| http_use_gpg|| allows use of gpg encryption
 
|-
 
|-
| http_use_nfs|| Allows access from secured guests
+
| http_use_nfs|| access to nfs shared directories
 
|-
 
|-
 
|}
 
|}

Latest revision as of 14:23, 18 August 2013

Apache Default Active Booleans

httpd_builtin_scripting permissions for PHP scripts in httpd_t directories
httpd_dbus_avahi Access from http services to automated IP addresses
httpd_enable_cgi Allows https services to execute CGI scripts
httpd_tty_comm Enables communication with controlling terminals, eg for SSL
http_unified Full read/write/execute access by all httpd_t files
xguest_connect_network Allows access from secured guests

Apache Default Inactive Booleans

The full list of inactive booleans is shown below. There are several which are of more interest:

  • httpd_enable_homedirs - supports http access to files in ime directories
  • httpd_enable_ftp
  • httpd_use_cifs
  • httpd_use_nfs
allow_httpd_anon_write allows apache to write new files with public_content_rw_t type
allow_httpd_mon_auth_ntlm_winbind support Microsoft authentication databases
allow_httpd_mod_auth_pam enables access to PAM authentication
allow_httpd_sys_script_anon_write configures write access by scripts to files with public_content_rw_t type
httpd_can_check_spam web based email spam detection
httpd_can_network_connect apache connections to remote ports
httpd_can_network_connect_cobbler apache connections to cobbler installation servers
httpd_can_network_connect_db apcahe connections to database servers
httpd_can_network_memcache http memory caching for translation servers
httpd_can_network_relay httpd proxy support
httpd_can_sendmail allows httpd based email services
httpd_enable_homedirs https access to home directories
httpd_execmem operation of executable programs requiring access to memory
httpd_read_user_content access to scripts from home directories
httpd_setrlimit apache can modify the max number of file descriptors
httpd_ssi_exec access to ssi scripts
http_tmp_exec apache access to scripts that require access to /tmp
httpd_use_cifs access to samba directories
http_use_gpg allows use of gpg encryption
http_use_nfs access to nfs shared directories
Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Redhat:_Apache_webserver_SELinux_Booleans&oldid=3179"