Disable the secure_mode_policyload SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean secure_mode_policyload is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_policyload SELinux boolean, run the following command:

$ sudo setsebool -P secure_mode_policyload off

ID: xccdf_org.ssgproject.content_rule_sebool_secure_mode_policyload
Severity: Medium
Updated: about 1 year ago

- name: Disable the secure_mode_policyload SELinux Boolean - Ensure python3-libsemanage
    Installed
  package:
    name: python3-libsemanage
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_secure_mode_policyload
- name: XCCDF Value var_secure_mode_policyload # promote to variable
  set_fact:
    var_secure_mode_policyload: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_secure_mode_policyload" use="legacy"/>
  tags:
    - always

- name: Disable the secure_mode_policyload SELinux Boolean - Set SELinux Boolean secure_mode_policyload
    Accordingly
  seboolean:
    name: secure_mode_policyload
    state: '{{ var_secure_mode_policyload }}'
    persistent: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_secure_mode_policyload

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "python3-libsemanage" ; then
    yum install -y "python3-libsemanage"
fi

if selinuxenabled; then

    var_secure_mode_policyload='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_secure_mode_policyload" use="legacy"/>'

    setsebool -P secure_mode_policyload $var_secure_mode_policyload

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable the secure_mode_policyload SELinux Boolean

Description

Remediation - Ansible

Remediation - Shell Script