Configure SELinux – Part 3

Ensure SELinux policy is configured

Overview:

Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.

Why:

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met.

Audit:

Run the following commands and ensure output matches “default” or “mls”:

# grep SELINUXTYPE= /etc/selinux/config 
SELINUXTYPE=default 
# sestatus
Policy from config file: default

Fix:

Edit the /etc/selinux/config file to set the SELINUXTYPE parameter:

SELINUXTYPE=default

Ensure no unconfined daemons exist

Overview:

Daemons that are not defined in SELinux policy will inherit the security context of their parent process.

Why:

Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t. This could cause the unintended consequence of giving the process more permission than it requires.

Audit:

Run the following command and verify not output is produced:

ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'

Fix:

Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

A WordPress.com Website.

Up ↑

%d bloggers like this: