Skip to content

Enable the gssd_read_tmp SELinux Boolean

An XCCDF Rule

Description

By default, the SELinux boolean gssd_read_tmp is enabled. This setting allows gssd processes to access Kerberos to read TGTs in the temp directory. If this setting is disabled, it should be enabled. To enable the gssd_read_tmp SELinux boolean, run the following command:

$ sudo setsebool -P gssd_read_tmp on

ID
xccdf_org.ssgproject.content_rule_sebool_gssd_read_tmp
Severity
Medium
Updated



Remediation - Ansible

- name: Enable the gssd_read_tmp SELinux Boolean - Ensure python3-libsemanage Installed
  package:
    name: python3-libsemanage
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "python3-libsemanage" ; then
    dnf install -y "python3-libsemanage"
fi