Skip to content

Ensure SELinux is Not Disabled

An XCCDF Rule

Description

The SELinux state should be set to enforcing or permissive at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing or permissive mode:

SELINUX=enforcing
OR
SELINUX=permissive

warning alert: Warning

In case the SELinux is "disabled", the automated remediation will adopt a more conservative approach and set it to "permissive" in order to avoid any system disruption and give the administrator the opportunity to assess the impact and necessary efforts before setting it to "enforcing", which is strongly recommended.

Rationale

Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux controls without a system reboot. It also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.

ID
xccdf_org.ssgproject.content_rule_selinux_not_disabled
Severity
High
References
Updated



Remediation - Ansible

- name: Ensure SELinux is Not Disabled
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/selinux/config

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/selinux/config" ] ; then
    
    LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"