SimpleRisk requires the following SELinux Booleans to be enabled:
- httpd_read_user_content
For native password reset functionality and/or the Notifications Extra, the following Boolean is needed in addition to appropriate SMTP configuration updates within php.ini:
- httpd_can_sendmail
If hosting SimpleRisk Apache and MySQL instances on separate machines, the following Boolean is needed to permit database connectivity from the web tier:
- httpd_can_network_connect
As root, these Booleans can be set with the setsebool command in Linux, e.g.:
- setsebool -P <Boolean_name>=1
To validate the current configuration of SELinux Booleans, use getsebool, e.g.:
- getsebool -a | grep <Boolean_name>
To summarize, these are the SELinux Booleans that are turned on for httpd to work on a SimpleRisk application server:
- httpd_builtin_scripting
- httpd_can_network_connect
- httpd_can_sendmail
- httpd_dbus_avahi
- httpd_enable_cgi
- httpd_read_user_content
- httpd_tty_comm
- httpd_unified
All of these SELinux Booleans should be able to be turned off:
- allow_httpd_anon_write
- allow_httpd_mod_auth_ntlm_winbind
- allow_httpd_mod_auth_pam
- allow_httpd_sys_script_anon_write
- httpd_can_check_spam
- httpd_can_network_connect_cobbler
- httpd_can_network_connect_db
- httpd_can_network_memcache
- httpd_can_network_relay
- httpd_dbus_sssd
- httpd_enable_ftp_server
- httpd_enable_homedirs
- httpd_execmem
- httpd_manage_ipa
- httpd_run_preupgrade
- httpd_run_stickshift
- httpd_serve_cobbler_files
- httpd_setrlimit
- httpd_ssi_exec
- httpd_tmp_exec
- httpd_use_cifs
- httpd_use_fusefs
- httpd_use_gpg
- httpd_use_nfs
- httpd_use_openstack
- httpd_verify_dns
- named_bind_http_port