Disable the selinuxuser_execheap SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean selinuxuser_execheap is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled, it should be disabled. To disable the selinuxuser_execheap SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_execheap off

Rationale

Disabling code execution from the heap blocks buffer overflow attacks.

ID: xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap
Severity: Medium
References: BP28(R67)

164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e)

CCE-82312-0
Updated: about 1 year ago

- name: Disable the selinuxuser_execheap SELinux Boolean - Ensure libsemanage-python
    Installed
  package:
    name: libsemanage-python
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]  tags:
  - CCE-82312-0
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_execheap
- name: XCCDF Value var_selinuxuser_execheap # promote to variable
  set_fact:
    var_selinuxuser_execheap: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_execheap" use="legacy"/>
  tags:
    - always

- name: Disable the selinuxuser_execheap SELinux Boolean - Set SELinux Boolean selinuxuser_execheap
    Accordingly
  seboolean:
    name: selinuxuser_execheap
    state: '{{ var_selinuxuser_execheap }}'
    persistent: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - CCE-82312-0
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_execheap

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "libsemanage-python" ; then
    yum install -y "libsemanage-python"
fi

if selinuxenabled; then

    var_selinuxuser_execheap='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_execheap" use="legacy"/>'

    setsebool -P selinuxuser_execheap $var_selinuxuser_execheap

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable the selinuxuser_execheap SELinux Boolean

Description

Rationale

Remediation - Ansible

Remediation - Shell Script