Detections
Analytics

1.3.1.5 Ensure the SELinux mode is not disabled

Information

SELinux can run in enforcing or permissive mode:

 -

enforcing : The security policy is enforced. Any access that is not explicitly allowed by the policy is denied.

 -

permissive : SELinux is active, the security policy is loaded, the file system is labeled and access denial entries are logged. However, the policy is not enforced, and no access is denied.

Note: You can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive:

# semanage permissive -a httpd_t

Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.

Solution

Note: Only apply one set of remediation steps either SELinux is disabled or SELinux not currently disabled.

If SELinux is currently disabled:

 - Update the SELinux running state to either enforcing or permissive :

Reset the security context on the running system:

# restorecon -R /

Run the following command to create /etc/selinux/.autorelabel :

# touch /etc/selinux/.autorelabel
 - Edit /etc/selinux/config and update the SELINUX parameter to either SELINUX=enforcing or SELINUX=permissive :

Example:

SELINUX=enforcing

Run the following command to reboot the system:

# reboot

WARNING: The autorelabel may be a long running process and require significant downtime. This should be planed for before executing the reboot!

See Also

https://workbench.cisecurity.org/benchmarks/26236

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-3, CSCv7|14.6

Plugin: Unix

Control ID: 23e87abcb0440edd76664af549a00780c39dd288fb1165379d0212f797ac65c1