Booleans
SELinux policy is customizable based on least access required. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean.
setsebool -P httpd_manage_ipa 1
If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean.
setsebool -P httpd_run_stickshift 1
If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean.
setsebool -P httpd_use_openstack 1
If you want to allow Apache to use mod_auth_pam, you must turn on the allow_httpd_mod_auth_pam boolean.
setsebool -P allow_httpd_mod_auth_pam 1
If you want to allow httpd daemon to change system limits, you must turn on the httpd_setrlimit boolean.
setsebool -P httpd_setrlimit 1
If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
setsebool -P httpd_enable_ftp_server 1
If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
setsebool -P httpd_use_nfs 1
If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean.
setsebool -P httpd_can_network_relay 1
If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
setsebool -P httpd_can_check_spam 1
If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean.
setsebool -P httpd_tty_comm 1
If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean.
setsebool -P httpd_unified 1
If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
setsebool -P httpd_can_network_memcache 1
If you want to allow httpd to run gpg in gpg-web domain, you must turn on the httpd_use_gpg boolean.
setsebool -P httpd_use_gpg 1
If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean.
setsebool -P httpd_builtin_scripting 1
If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
setsebool -P httpd_can_sendmail 1
If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean.
setsebool -P httpd_enable_cgi 1
If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
setsebool -P httpd_read_user_content 1
If you want to allow Apache to query NS records, you must turn on the httpd_verify_dns boolean.
setsebool -P httpd_verify_dns 1
If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
setsebool -P named_bind_http_port 1
If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
setsebool -P httpd_can_network_connect_cobbler 1
If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
setsebool -P httpd_dbus_avahi 1
If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean.
setsebool -P httpd_enable_homedirs 1
If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean.
setsebool -P httpd_ssi_exec 1
If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
setsebool -P httpd_tmp_exec 1
If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean.
setsebool -P httpd_use_cifs 1
If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean.
setsebool -P httpd_execmem 1
If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the allow_httpd_mod_auth_ntlm_winbind boolean.
setsebool -P allow_httpd_mod_auth_ntlm_winbind 1
If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean.
setsebool -P httpd_can_network_connect 1
If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean.
setsebool -P httpd_can_network_connect_db 1
If you want to allow ssh with chroot env to apache content, you must turn on the ssh_chroot_manage_apache_content boolean.
setsebool -P ssh_chroot_manage_apache_content 1
If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean.
setsebool -P httpd_manage_ipa 1
If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean.
setsebool -P httpd_run_stickshift 1
If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean.
setsebool -P httpd_use_openstack 1
If you want to allow Apache to use mod_auth_pam, you must turn on the allow_httpd_mod_auth_pam boolean.
setsebool -P allow_httpd_mod_auth_pam 1
If you want to allow httpd daemon to change system limits, you must turn on the httpd_setrlimit boolean.
setsebool -P httpd_setrlimit 1
If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
setsebool -P httpd_enable_ftp_server 1
If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean.
setsebool -P httpd_use_nfs 1
If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_rw_content_t, you must turn on the allow_httpd_anon_write boolean.
setsebool -P allow_httpd_anon_write 1
If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean.
setsebool -P httpd_can_network_relay 1
If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
setsebool -P httpd_can_check_spam 1
If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean.
setsebool -P httpd_tty_comm 1
If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean.
setsebool -P httpd_unified 1
If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
setsebool -P httpd_can_network_memcache 1
If you want to allow httpd to run gpg in gpg-web domain, you must turn on the httpd_use_gpg boolean.
setsebool -P httpd_use_gpg 1
If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean.
setsebool -P httpd_builtin_scripting 1
If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean.
setsebool -P httpd_can_sendmail 1
If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean.
setsebool -P httpd_enable_cgi 1
If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
setsebool -P httpd_read_user_content 1
If you want to allow Apache to query NS records, you must turn on the httpd_verify_dns boolean.
setsebool -P httpd_verify_dns 1
If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
setsebool -P named_bind_http_port 1
If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
setsebool -P httpd_can_network_connect_cobbler 1
If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
setsebool -P httpd_dbus_avahi 1
If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean.
setsebool -P httpd_enable_homedirs 1
If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean.
setsebool -P httpd_ssi_exec 1
If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
setsebool -P httpd_tmp_exec 1
If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean.
setsebool -P httpd_use_cifs 1
If you want to allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t, you must turn on the allow_httpd_sys_script_anon_write boolean.
setsebool -P allow_httpd_sys_script_anon_write 1
If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean.
setsebool -P httpd_execmem 1
If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the allow_httpd_mod_auth_ntlm_winbind boolean.
setsebool -P allow_httpd_mod_auth_ntlm_winbind 1
If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean.
setsebool -P httpd_can_network_connect 1
If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean.
setsebool -P httpd_can_network_connect_db 1
Sharing Files
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.- Allow httpd servers to read the /var/httpd directory by adding the public_content_t file type to the directory and by restoring the file type.
- semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
restorecon -F -R -v /var/httpd - Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpdd_anon_write boolean to be set.
- semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
restorecon -F -R -v /var/httpd/incoming If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_rw_content_t., you must turn on the allow_httpd_anon_write boolean.
setsebool -P allow_httpd_anon_write 1
If you want to allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t., you must turn on the allow_httpd_sys_script_anon_write boolean.
setsebool -P allow_httpd_sys_script_anon_write 1
沒有留言:
張貼留言