Enable the antivirus_can_scan_system SELinux Boolean
An XCCDF Rule
Description
By default, the SELinux boolean antivirus_can_scan_system
is disabled.
This setting should be enabled as it allows antivirus programs to read non-security
files on a system.
To enable the antivirus_can_scan_system
SELinux boolean, run the following command:
$ sudo setsebool -P antivirus_can_scan_system on
- ID
- xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Enable the antivirus_can_scan_system SELinux Boolean - Ensure python3-libsemanage
Installed
package:
name: python3-libsemanage
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "python3-libsemanage" ; then
dnf install -y "python3-libsemanage"
fi