Configure SELinux Policy

An XCCDF Rule

Description

The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:

SELINUXTYPE=

Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

Rationale

Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to .

ID: xccdf_org.ssgproject.content_rule_selinux_policytype
Severity: Medium
References: BP28(R66)

1 11 12 13 14 15 16 18 3 4 5 6 8 9

APO01.06 APO11.04 APO13.01 BAI03.05 DSS01.05 DSS03.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.03 DSS06.06 MEA02.01

3.1.2 3.7.2

CCI-002165 CCI-002696

164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e)

4.2.3.4 4.3.3.2.2 4.3.3.3.9 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 4.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

CIP-003-8 R5.1.1 CIP-003-8 R5.2 CIP-003-8 R5.3 CIP-004-6 R2.2.3 CIP-004-6 R2.3 CIP-004-6 R3.3 CIP-007-3 R5.1 CIP-007-3 R5.1.2 CIP-007-3 R5.2 CIP-007-3 R5.3.1 CIP-007-3 R5.3.2 CIP-007-3 R5.3.3 CIP-007-3 R6.5

AC-3 AC-3(3)(a) AU-9 SC-7(21)

DE.AE-1 ID.AM-3 PR.AC-4 PR.AC-5 PR.AC-6 PR.DS-5 PR.PT-1 PR.PT-3 PR.PT-4

SRG-OS-000445-GPOS-00199

SRG-APP-000233-CTR-000585

CCE-91445-7

1.2.6
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_selinux_policy_name='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" use="legacy"/>'

if [ -e "/etc/selinux/config" ] ; then
    
    LC_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config"
else
    touch "/etc/selinux/config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/selinux/config"

cp "/etc/selinux/config" "/etc/selinux/config.bak"
# Insert at the end of the file
printf '%s\n' "SELINUXTYPE=$var_selinux_policy_name" >> "/etc/selinux/config"
# Clean up after ourselves.
rm "/etc/selinux/config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: XCCDF Value var_selinux_policy_name # promote to variable
  set_fact:
    var_selinux_policy_name: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" use="legacy"/>
  tags:
    - always
- name: Configure SELinux Policy
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/selinux/config
      create: true
      regexp: ^SELINUXTYPE=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/selinux/config
    lineinfile:
      path: /etc/selinux/config
      create: true
      regexp: ^SELINUXTYPE=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/selinux/config
    lineinfile:
      path: /etc/selinux/config
      create: true
      regexp: ^SELINUXTYPE=
      line: SELINUXTYPE={{ var_selinux_policy_name }}
      state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91445-7
  - NIST-800-171-3.1.2
  - NIST-800-171-3.7.2
  - NIST-800-53-AC-3
  - NIST-800-53-AC-3(3)(a)
  - NIST-800-53-AU-9
  - NIST-800-53-SC-7(21)
  - PCI-DSSv4-1.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - selinux_policytype

Configure SELinux Policy

Description

Rationale

Remediation - Shell Script

Remediation - Ansible