5.2 Verify SELinux security options, if applicable (Scored)


SELinux is an effective and easy-to-use Linux application security system. It is available on
quite a few Linux distributions by default such as Red Hat and Fedora.

SELinux provides a Mandatory Access Control (MAC) system that greatly augments the
default Discretionary Access Control (DAC) model. You can thus add an extra layer of safety
by enabling SELinux on your Linux host, if applicable.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


If SELinux is applicable for your Linux OS, use it. You may have to follow below set of steps-

1. Set the SELinux State.
2. Set the SELinux Policy.
3. Create or import a SELinux policy template for Docker containers.
4. Start Docker in daemon mode with SELinux enabled. For example,docker -d --selinux-enabled5. Start your Docker container using the security options. For example,docker run -i -t --security-opt label-level-TopSecret centos /bin/bashImpact-The container (process) would have set of restrictions as defined in SELinux policy. If your
SELinux policy is mis-configured, then the container may not entirely work as expected.Default Value-By default, no SELinux security options are applied on containers.

See Also


Item Details


References: 800-53|AC-3(3)

Plugin: Unix

Control ID: c3628ef73ad0c2cc0ea6f43ee04b87e4ab4f5b829d991e22ffdd8d972486355b