A company keeps SELinux in Enforcing mode on its web server. After moving the application's PostgreSQL database to a dedicated host (10.10.20.15:5432), the PHP code running under the httpd_t domain starts logging AVC denials similar to:
The security team insists that only the minimum SELinux privilege necessary be granted and that the change must survive reboots. Which single command satisfies all of these requirements?
The denial shows that the httpd_t domain is being blocked from opening a network socket to a database server. The SELinux boolean httpd_can_network_connect_db is designed for exactly this case: it lets HTTPD scripts initiate outbound connections only to database ports, not to arbitrary network ports. The -P switch makes the change persistent across reboots.
setsebool -P httpd_can_network_connect_db on - Correct. Enables the targeted boolean with persistence, granting the minimal privilege required.
setsebool -P httpd_can_network_connect on - Grants much broader access (any TCP port), violating the least-privilege requirement, so it is not acceptable.
semanage port -a -t http_port_t -p tcp 5432 - Adds a label so Apache could listen on 5432 locally; it does nothing for outbound connections.
semanage permissive -a httpd_t - Puts the entire httpd_t domain into permissive mode, effectively disabling enforcement for the web server and exceeding the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the httpd_can_network_connect_db SELinux boolean do?
Open an interactive chat with Bash
What is the significance of the -P flag in setsebool?
Open an interactive chat with Bash
Why doesn't semanage port -a -t http_port_t -p tcp 5432 work in this case?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access