Enable the selinuxuser_ping SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean selinuxuser_ping is enabled. If this setting is disabled, it should be enabled as it allows confined users to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_ping on

ID: xccdf_org.ssgproject.content_rule_sebool_selinuxuser_ping
Severity: Medium
References: CCE-82318-7
Updated: over 1 year ago

Remediation Templates

- name: Enable the selinuxuser_ping SELinux Boolean - Ensure libsemanage-python Installed
  package:
    name: libsemanage-python
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:  - CCE-82318-7
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_ping
- name: XCCDF Value var_selinuxuser_ping # promote to variable
  set_fact:
    var_selinuxuser_ping: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_ping" use="legacy"/>
  tags:
    - always
- name: Enable the selinuxuser_ping SELinux Boolean - Set SELinux Boolean selinuxuser_ping
    Accordingly
  seboolean:
    name: selinuxuser_ping
    state: '{{ var_selinuxuser_ping }}'
    persistent: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - CCE-82318-7
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_ping

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "libsemanage-python" ; then
    yum install -y "libsemanage-python"
fi

if selinuxenabled; then

    var_selinuxuser_ping='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_ping" use="legacy"/>'

    setsebool -P selinuxuser_ping $var_selinuxuser_ping

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable the selinuxuser_ping SELinux Boolean

Description

Remediation Templates

An Ansible Snippet

A Shell Script