Enable the gssd_read_tmp SELinux Boolean
An XCCDF Rule
Description
By default, the SELinux boolean gssd_read_tmp
is enabled.
This setting allows gssd
processes to access Kerberos to read
TGTs in the temp directory. If this setting is disabled, it should
be enabled.
To enable the gssd_read_tmp
SELinux boolean, run the following command:
$ sudo setsebool -P gssd_read_tmp on
- ID
- xccdf_org.ssgproject.content_rule_sebool_gssd_read_tmp
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Enable the gssd_read_tmp SELinux Boolean - Ensure python3-libsemanage Installed
package:
name: python3-libsemanage
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "python3-libsemanage" ; then
dnf install -y "python3-libsemanage"
fi