Disable the selinuxuser_execheap SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean selinuxuser_execheap is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled, it should be disabled. To disable the selinuxuser_execheap SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_execheap off

Rationale

Disabling code execution from the heap blocks buffer overflow attacks.

ID: xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap
Severity: Medium
References: 164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e)

R48
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - enable_strategy
  - low_complexity  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_execheap

- name: Disable the selinuxuser_execheap SELinux Boolean - Ensure libsemanage-python
    Installed
  package:
    name: libsemanage-python
    state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_execheap
- name: XCCDF Value var_selinuxuser_execheap # promote to variable
  set_fact:
    var_selinuxuser_execheap: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_execheap" use="legacy"/>
  tags:
    - always

- name: Disable the selinuxuser_execheap SELinux Boolean - Set SELinux Boolean selinuxuser_execheap
    Accordingly
  seboolean:
    name: selinuxuser_execheap
    state: '{{ var_selinuxuser_execheap }}'
    persistent: true
  when:
  - '"kernel" in ansible_facts.packages'
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_execheap

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

if ! rpm -q --quiet "libsemanage-python" ; then
    yum install -y "libsemanage-python"
fi

if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then

    var_selinuxuser_execheap='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_execheap" use="legacy"/>'

    setsebool -P selinuxuser_execheap $var_selinuxuser_execheap

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable the selinuxuser_execheap SELinux Boolean

Description

Rationale

Remediation - Ansible

Remediation - Shell Script