VOOZH about

URL: https://www.tecmint.com/enable-disable-apache-boolean-values/

⇱ How to Enable/Disable SELinux Booleans for Apache

Skip to content

SELinux, or Security-Enhanced Linux, is a security mechanism for mandatory access control (MAC) implemented in the Linux kernel to add an extra layer of protection by controlling access to files, processes, and resources.

One aspect of SELinux is managing Booleans, which are switches that control various security policies.

In this article, we’ll focus on enabling or disabling specific SELinux Booleans, especially for Apache on RHEL-based distributions, to ensure optimal security and functionality.

TecMint Weekly Newsletter
Get the Learn Linux 7 Days Crash Course free when you join 34,000+ Linux professionals reading every Thursday.
Check your email for a magic link to get started.
Something went wrong. Please try again.

Understanding SELinux Booleans

Booleans in SELinux are like on-off switches that determine whether certain actions are allowed or denied. These Booleans can be toggled to enable or disable specific security policies.

For Apache, there are several Booleans that control its interactions with SELinux.

Enabling or Disabling Apache SELinux Booleans

To view all SELinux booleans, use the getsebool command together with less command.

getsebool -a | less
πŸ‘ Check SELinux Boolean Values
Check SELinux Boolean Values

To view all boolean values of the Apache program (or daemon), use the β€˜getseboolβ€˜ command with the grep utility, which will list all httpd-related booleans.

getsebool -a | grep httpd
πŸ‘ Check HTTP SELinux Boolean Values
Check HTTP SELinux Boolean Values

Here are some common Apache-related SELinux Booleans:

  • httpd_can_network_connect: Allows Apache to make network connections.
  • httpd_can_network_connect_db: Allows Apache to connect to databases over the network.
  • httpd_can_sendmail: Allows Apache to send email.
  • httpd_enable_cgi: Allows Apache to execute CGI scripts.
  • httpd_enable_homedirs: Allows Apache to read user home directories.

These Booleans control various aspects of Apache’s interactions with SELinux, helping to maintain security while allowing necessary functionality.

To enable a boolean, you can use the switch β€˜Onβ€˜ or the numerical value (1). To disable a boolean, you can use the switch β€˜Offβ€˜ or the numerical value (0) using the setsebool command as described below.

Enable Booleans for Apache

If you have a web server installed on your system, you can permit HTTPD scripts to write files in directories labeled public_content_rw_t by enabling the allow_httpd_sys_script_anon_write boolean.

getsebool allow_httpd_sys_script_anon_write 
setsebool -P allow_httpd_sys_script_anon_write on
OR
# setsebool -P allow_httpd_sys_script_anon_write 1
πŸ‘ Enable Apache SELinux Boolean
Enable Apache SELinux Boolean

The -P option in the setsebool command ensures that changes persist across system reboots, which is important for maintaining consistent security policies.

Disable Booleans for Apache

Similarly, to disable or turn off the above SELinux boolean value, run the following command.

setsebool allow_httpd_sys_script_anon_write off
setsebool allow_mount_anyfile off
OR
setsebool allow_httpd_sys_script_anon_write 0
setsebool allow_mount_anyfile 0

Don’t forget to read the following security-related articles.

SELinux Booleans provides a flexible way to control security policies on Linux systems. For Apache, enabling or disabling specific Booleans can enhance security while allowing necessary functionality.

By understanding how to manage these Booleans, administrators can tailor SELinux policies to suit their organization’s needs effectively.

If this article helped, share it with someone on your team.
TecMint Weekly Newsletter
Get the Learn Linux 7 Days Crash Course free when you join 34,000+ Linux professionals reading every Thursday.
Check your email for a magic link to get started.
Something went wrong. Please try again.
β˜•
TecMint has been free for 14 years. Help keep it that way.
Google AI Overviews and tools like ChatGPT have cut into search traffic for independent tech sites like TecMint. Running this site costs over $2,000 every month for hosting, infrastructure, and paying authors to keep the content accurate and tested.

If this article helped you solve a problem, consider buying a coffee. It helps keep TecMint free, supports the authors, and keeps the project going.
β˜• Buy Me a Coffee
Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

6 Comments

Leave a Reply

  1. Hi, I cannot connect via ssh to my machine after enabling SELinux to enforce mode.

    I have tried the touch /.autorelabel but no luck.

    In getsebool – all the booleans are on…

    Please help me here.

    Reply

  2. Hi,

    I set setsebool httpd_can_network_connect on and httpd_can_network_connect_db on. But after reboot, the setting rolls back to off.

    is there an argument to permanently set setsebool.

    Reply

    • use "-P" switch for persistent/permanent change. like, setsebool -P httpd_can_network_connect on.

      Reply

      • Thanks a lot. Now im out of the issue.

        Reply

  3. What is the risk if we set httpd can network connect to on

    Reply

    • @JK,

      If you set correct SELinux boolean value on HTTPD, then no issues at all..

      Reply

Got Something to Say? Join the Discussion... Cancel reply

Free Course
Get a free Linux course before you go.
Subscribe to TecMint Weekly and get the Learn Linux 7 Days Crash Course free. Read by 34,000+ Linux professionals every Thursday.
Check your email for a magic link to get started.