Skip to content

Enable the antivirus_can_scan_system SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean antivirus_can_scan_system is disabled. This setting should be enabled as it allows antivirus programs to read non-security files on a system. To enable the antivirus_can_scan_system SELinux boolean, run the following command:
$ sudo setsebool -P antivirus_can_scan_system on
ID
xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system
Severity
Medium
References
Updated

Remediation Templates

An Ansible Snippet

- name: Enable the antivirus_can_scan_system SELinux Boolean - Ensure python3-libsemanage
    Installed
  package:
    name: python3-libsemanage
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

A Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "python3-libsemanage" ; then
    dnf install -y "python3-libsemanage"
fi