Configure SELinux Policy
An XCCDF Rule
Description
The SELinux targeted
policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config
:
SELINUXTYPE=Other policies, such as
mls
, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
Rationale
Setting the SELinux policy to targeted
or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive
mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
.
- ID
- xccdf_org.ssgproject.content_rule_selinux_policytype
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: XCCDF Value var_selinux_policy_name # promote to variable
set_fact:
var_selinux_policy_name: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" use="legacy"/>
tags:
- always
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var_selinux_policy_name='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" use="legacy"/>'