11.4 Ensure Only the Necessary SELinux Booleans are Enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

SELinux booleans allow or disallow behavior specific to the Apache web server. Common examples include whether CGI execution is allowed, or if the httpd server is allowed to communicate with the current terminal (tty). Communication with the terminal, may be necessary for entering a passphrase during start up to decrypt a private key.

Rationale:

Enabling only the necessary httpd related booleans provides a defense in depth approach, that will deny actions that are not in use or expected.

Solution

Perform the following to implement the recommended state:

To disable the SELinux httpd booleans that are determined to be unnecessary, use the setsebool command as shown below with the -P option to make the change persistent.

# setsebool -P httpd_enable_cgi off
# getsebool httpd_enable_cgi
httpd_enable_cgi --> off

Default Value:

SELinux is not enabled by default.

See Also

https://workbench.cisecurity.org/files/3021