Configure SELinux – Part 3

Ensure SELinux policy is configured


Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.


Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met.


Run the following commands and ensure output matches “default” or “mls”:

# grep SELINUXTYPE= /etc/selinux/config 
# sestatus
Policy from config file: default


Edit the /etc/selinux/config file to set the SELINUXTYPE parameter:


Ensure no unconfined daemons exist


Daemons that are not defined in SELinux policy will inherit the security context of their parent process.


Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t. This could cause the unintended consequence of giving the process more permission than it requires.


Run the following command and verify not output is produced:

ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'


Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

A Website.

Up ↑

%d bloggers like this: