1.6.2.6 Ensure no unconfined daemons exist

Information

Daemons that are not defined in SELinux policy will inherit the security context of their
parent process.

Rationale:

Since daemons are launched and descend from the init process, they will inherit the
security context label initrc_t . This could cause the unintended consequence of giving
the process more permission than it requires.

Solution

Investigate any unconfined daemons found during the audit action. They may need to have
an existing security context assigned to them or a policy built for them.

Notes:

Occasionally certain daemons such as backup or centralized management software may
require running unconfined. Any such software should be carefully analyzed and
documented before such an exception is made.

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: Unix

Control ID: d6bafed6d8ea74856a68122ed03f19b494d5aa8e1236752e747729c2c2bd2171