Skip to content

Enable the antivirus_can_scan_system SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean antivirus_can_scan_system is disabled. This setting should be enabled as it allows antivirus programs to read non-security files on a system. To enable the antivirus_can_scan_system SELinux boolean, run the following command:

$ sudo setsebool -P antivirus_can_scan_system on

ID
xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system
Severity
Medium
References
Updated



Remediation - Ansible

- name: Enable the antivirus_can_scan_system SELinux Boolean - Ensure python3-libsemanage
    Installed
  package:
    name: python3-libsemanage
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "python3-libsemanage" ; then
    dnf install -y "python3-libsemanage"
fi