Enable the selinuxuser_ping SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean selinuxuser_ping is enabled. If this setting is disabled, it should be enabled as it allows confined users to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_ping on

ID: xccdf_org.ssgproject.content_rule_sebool_selinuxuser_ping
Severity: Medium
Updated: about 1 month ago

Remediation Templates

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "python3-libsemanage" ; then
    dnf install -y "python3-libsemanage"
fi

if selinuxenabled; then

    var_selinuxuser_ping='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_ping" use="legacy"/>'

    setsebool -P selinuxuser_ping $var_selinuxuser_ping

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Enable the selinuxuser_ping SELinux Boolean - Ensure python3-libsemanage Installed
  package:
    name: python3-libsemanage
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_ping
- name: XCCDF Value var_selinuxuser_ping # promote to variable
  set_fact:
    var_selinuxuser_ping: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_ping" use="legacy"/>
  tags:
    - always
- name: Enable the selinuxuser_ping SELinux Boolean - Set SELinux Boolean selinuxuser_ping
    Accordingly
  seboolean:
    name: selinuxuser_ping
    state: '{{ var_selinuxuser_ping }}'
    persistent: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_ping

Enable the selinuxuser_ping SELinux Boolean

Description

Remediation Templates

A Shell Script

An Ansible Snippet