Details
SELinux booleans allow or disallow behavior specific to the Apache web server. Common examples include whether CGI execution is allowed, or if the httpd server is allowed to communicate with the current terminal (tty). Communication with the terminal, may be necessary for entering a passphrase during start up to decrypt a private key.
Rationale:
Enabling only the necessary httpd related booleans provides a defense in depth approach, that will deny actions that are not in use or expected.
Solution
Perform the following to implement the recommended state:
To disable the SELinux httpd booleans that are determined to be unnecessary, use the setsebool command as shown below with the -P option to make the change persistent.
# setsebool -P httpd_enable_cgi off
# getsebool httpd_enable_cgi
httpd_enable_cgi –> off
Default Value:
SELinux is not enabled by default.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.