Enable the gssd_read_tmp SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean gssd_read_tmp is enabled. This setting allows gssd processes to access Kerberos to read TGTs in the temp directory. If this setting is disabled, it should be enabled. To enable the gssd_read_tmp SELinux boolean, run the following command:

$ sudo setsebool -P gssd_read_tmp on

ID: xccdf_org.ssgproject.content_rule_sebool_gssd_read_tmp
Severity: Medium
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - enable_strategy
  - low_complexity  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_gssd_read_tmp

- name: Enable the gssd_read_tmp SELinux Boolean - Ensure python3-libsemanage Installed
  package:
    name: python3-libsemanage
    state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_gssd_read_tmp
- name: XCCDF Value var_gssd_read_tmp # promote to variable
  set_fact:
    var_gssd_read_tmp: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_gssd_read_tmp" use="legacy"/>
  tags:
    - always

- name: Enable the gssd_read_tmp SELinux Boolean - Set SELinux Boolean gssd_read_tmp
    Accordingly
  seboolean:
    name: gssd_read_tmp
    state: '{{ var_gssd_read_tmp }}'
    persistent: true
  when:
  - '"kernel" in ansible_facts.packages'
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_gssd_read_tmp

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

if ! rpm -q --quiet "python3-libsemanage" ; then
    yum install -y "python3-libsemanage"
fi

if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then

    var_gssd_read_tmp='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_gssd_read_tmp" use="legacy"/>'

    setsebool -P gssd_read_tmp $var_gssd_read_tmp

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable the gssd_read_tmp SELinux Boolean

Description

Remediation - Ansible

Remediation - Shell Script