Enable the selinuxuser_ping SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean selinuxuser_ping is enabled. If this setting is disabled, it should be enabled as it allows confined users to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_ping on

ID: xccdf_org.ssgproject.content_rule_sebool_selinuxuser_ping
Severity: Medium
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - enable_strategy
  - low_complexity  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_ping

- name: Enable the selinuxuser_ping SELinux Boolean - Ensure python3-libsemanage Installed
  package:
    name: python3-libsemanage
    state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_ping
- name: XCCDF Value var_selinuxuser_ping # promote to variable
  set_fact:
    var_selinuxuser_ping: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_ping" use="legacy"/>
  tags:
    - always

- name: Enable the selinuxuser_ping SELinux Boolean - Set SELinux Boolean selinuxuser_ping
    Accordingly
  seboolean:
    name: selinuxuser_ping
    state: '{{ var_selinuxuser_ping }}'
    persistent: true
  when:
  - '"kernel" in ansible_facts.packages'
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_ping

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

if ! rpm -q --quiet "python3-libsemanage" ; then
    yum install -y "python3-libsemanage"
fi

if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then

    var_selinuxuser_ping='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_ping" use="legacy"/>'

    setsebool -P selinuxuser_ping $var_selinuxuser_ping

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable the selinuxuser_ping SELinux Boolean

Description

Remediation - Ansible

Remediation - Shell Script