Disable the selinuxuser_use_ssh_chroot SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean selinuxuser_use_ssh_chroot is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_use_ssh_chroot off

ID: xccdf_org.ssgproject.content_rule_sebool_selinuxuser_use_ssh_chroot
Severity: Medium
References: CCE-82324-5
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "libsemanage-python" ; then
    yum install -y "libsemanage-python"
fi

if selinuxenabled; then

    var_selinuxuser_use_ssh_chroot='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_use_ssh_chroot" use="legacy"/>'

    setsebool -P selinuxuser_use_ssh_chroot $var_selinuxuser_use_ssh_chroot

else
    echo "Skipping remediation, SELinux is disabled";
    false
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Disable the selinuxuser_use_ssh_chroot SELinux Boolean - Ensure libsemanage-python
    Installed
  package:
    name: libsemanage-python
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]  tags:
  - CCE-82324-5
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_use_ssh_chroot
- name: XCCDF Value var_selinuxuser_use_ssh_chroot # promote to variable
  set_fact:
    var_selinuxuser_use_ssh_chroot: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_use_ssh_chroot" use="legacy"/>
  tags:
    - always

- name: Disable the selinuxuser_use_ssh_chroot SELinux Boolean - Set SELinux Boolean
    selinuxuser_use_ssh_chroot Accordingly
  seboolean:
    name: selinuxuser_use_ssh_chroot
    state: '{{ var_selinuxuser_use_ssh_chroot }}'
    persistent: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.selinux.status == 'enabled'
  tags:
  - CCE-82324-5
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sebool_selinuxuser_use_ssh_chroot

Disable the selinuxuser_use_ssh_chroot SELinux Boolean

Description

Remediation - Shell Script

Remediation - Ansible