An XCCDF Group - A logical subset of the XCCDF Benchmark
libselinux
$ sudo yum install libselinux
policycoreutils
$ sudo yum install policycoreutils
setroubleshoot-plugins
$ sudo yum erase setroubleshoot-plugins
setroubleshoot-server
$ sudo yum erase setroubleshoot-server
setroubleshoot
$ sudo yum erase setroubleshoot
selinux=0
/etc/default/grub
device_t
unlabeled_t
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo semanage user -m staff_u -R staff_r -R sysadm_r
$ sudo semanage -m user_u -R user_r
init
unconfined_service_t
$ sudo ps -eZ | grep "unconfined_service_t"
sudo visudo -f /etc/sudoers.d/CUSTOM_FILE
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
enforcing
permissive
/etc/selinux/config
SELINUX=enforcing
SELINUX=permissive
targeted
SELINUXTYPE=
mls
SELINUX=
sysadm_u
staff_u
sysadm_t
staff_t
$ sudo semanage login -m -s sysadm_u USER
$ sudo semanage login -m -s staff_u USER
user_u
$ sudo semanage login -m -s user_u USER
abrt_anon_write
$ sudo setsebool -P abrt_anon_write off
abrt_handle_event
$ sudo setsebool -P abrt_handle_event off
abrt_upload_watch_anon_write
$ sudo setsebool -P abrt_upload_watch_anon_write off
auditadm_exec_content
$ sudo setsebool -P auditadm_exec_content on
cron_can_relabel
$ sudo setsebool -P cron_can_relabel off
cron_system_cronjob_use_shares
$ sudo setsebool -P cron_system_cronjob_use_shares off
cron_userdomain_transition
$ sudo setsebool -P cron_userdomain_transition on
daemons_dump_core
$ sudo setsebool -P daemons_dump_core off
daemons_use_tcp_wrapper
$ sudo setsebool -P daemons_use_tcp_wrapper off
daemons_use_tty
$ sudo setsebool -P daemons_use_tty off
deny_execmem
$ sudo setsebool -P deny_execmem
deny_ptrace
$ sudo setsebool -P deny_ptrace off
domain_fd_use
$ sudo setsebool -P domain_fd_use on
domain_kernel_load_modules
$ sudo setsebool -P domain_kernel_load_modules off
fips_mode
$ sudo setsebool -P fips_mode on
gpg_web_anon_write
$ sudo setsebool -P gpg_web_anon_write off
guest_exec_content
$ sudo setsebool -P guest_exec_content off
kerberos_enabled
$ sudo setsebool -P kerberos_enabled on
logadm_exec_content
$ sudo setsebool -P logadm_exec_content on
logging_syslogd_can_sendmail
$ sudo setsebool -P logging_syslogd_can_sendmail off
logging_syslogd_use_tty
syslog
$ sudo setsebool -P logging_syslogd_use_tty on
login_console_enabled
/dev/console
$ sudo setsebool -P login_console_enabled on
mmap_low_allowed
$ sudo setsebool -P mmap_low_allowed off
mock_enable_homedirs
$ sudo setsebool -P mock_enable_homedirs off
mount_anyfile
$ sudo setsebool -P mount_anyfile on
polyinstantiation_enabled
$ sudo setsebool -P polyinstantiation_enabled
secadm_exec_content
$ sudo setsebool -P secadm_exec_content on
secure_mode
$ sudo setsebool -P secure_mode off
secure_mode_insmod
$ sudo setsebool -P secure_mode_insmod
secure_mode_policyload
$ sudo setsebool -P secure_mode_policyload off
selinuxuser_direct_dri_enabled
$ sudo setsebool -P selinuxuser_direct_dri_enabled off
selinuxuser_execheap
$ sudo setsebool -P selinuxuser_execheap off
selinuxuser_execmod
$ sudo setsebool -P selinuxuser_execmod on
selinuxuser_execstack
$ sudo setsebool -P selinuxuser_execstack off
selinuxuser_mysql_connect_enabled
$ sudo setsebool -P selinuxuser_mysql_connect_enabled off
selinuxuser_ping
$ sudo setsebool -P selinuxuser_ping on
selinuxuser_postgresql_connect_enabled
$ sudo setsebool -P selinuxuser_postgresql_connect_enabled off
selinuxuser_rw_noexattrfile
$ sudo setsebool -P selinuxuser_rw_noexattrfile off
selinuxuser_share_music
$ sudo setsebool -P selinuxuser_share_music off
selinuxuser_tcp_server
$ sudo setsebool -P selinuxuser_tcp_server off
selinuxuser_udp_server
$ sudo setsebool -P selinuxuser_udp_server off
selinuxuser_use_ssh_chroot
$ sudo setsebool -P selinuxuser_use_ssh_chroot off
ssh_chroot_rw_homedirs
$ sudo setsebool -P ssh_chroot_rw_homedirs off
ssh_keysign
$ sudo setsebool -P ssh_keysign off
ssh_sysadm_login
$ sudo setsebool -P ssh_sysadm_login off
staff_exec_content
$ sudo setsebool -P staff_exec_content on
sysadm_exec_content
$ sudo setsebool -P sysadm_exec_content on
unconfined_login
$ sudo setsebool -P unconfined_login on
use_ecryptfs_home_dirs
$ sudo setsebool -P use_ecryptfs_home_dirs off
user_exec_content
$ sudo setsebool -P user_exec_content on
xdm_bind_vnc_tcp_port
$ sudo setsebool -P xdm_bind_vnc_tcp_port off
xdm_exec_bootloader
$ sudo setsebool -P xdm_exec_bootloader off
xdm_sysadm_login
$ sudo setsebool -P xdm_sysadm_login off
xdm_write_home
$ sudo setsebool -P xdm_write_home off
xguest_connect_network
NetworkManager
$ sudo setsebool -P xguest_connect_network off
xguest_exec_content
$ sudo setsebool -P xguest_exec_content off
xguest_mount_media
$ sudo setsebool -P xguest_mount_media off
xguest_use_bluetooth
$ sudo setsebool -P xguest_use_bluetooth off
xserver_clients_write_xshm
$ sudo setsebool -P xserver_clients_write_xshm off
xserver_execmem
$ sudo setsebool -P xserver_execmem off
xserver_object_manager
$ sudo setsebool -P xserver_object_manager off