SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
To properly set the owner of /etc/selinux, run the command:
$ sudo chown root /etc/selinux
The ownership of the /etc/selinux directory by the root user is important because this directory hosts SELinux configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.
To properly set the group owner of /etc/selinux, run the command:
$ sudo chgrp root /etc/selinux
The ownership of the /etc/selinux directory by the root group is important because this directory hosts SELinux configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.
To properly set the permissions of /etc/selinux, run the command:
$ sudo chmod 0755 /etc/selinux
Setting correct permissions on the /etc/selinux directory is important because this directory hosts SELinux configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the SELinux configuration.
SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
To properly set the group owner of /etc/sestatus.conf, run the command:
$ sudo chgrp root /etc/sestatus.conf
The ownership of the /etc/sestatus.conf file by the root group is important because this file hosts SELinux configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.
To properly set the owner of /etc/sestatus.conf, run the command:
$ sudo chown root /etc/sestatus.conf
The ownership of the /etc/sestatus.conf file by the root user is important because this file hosts SELinux configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.
To properly set the permissions of /etc/sestatus.conf, run the command:
$ sudo chmod 0644 /etc/sestatus.conf
Setting correct permissions on the /etc/sestatus.conf file is important because this file hosts SELinux configuration. Protection of this file is critical for system security. Restricting the permissions ensures exclusive control of the SELinux configuration.
The libselinux package can be installed with the following command:
$ sudo dnf install libselinux
Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The libselinux package contains the core library of the Security-enhanced Linux system.
The mcstransd daemon provides category label information
to client processes requesting information. The label translations are defined
in /etc/selinux/targeted/setrans.conf.
The mcstrans package can be removed with the following command:
$ sudo dnf erase mcstrans
Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system.
The policycoreutils-python-utils package can be installed with the following command:
$ sudo dnf install policycoreutils-python-utils
This package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.
The policycoreutils package can be installed with the following command:
$ sudo dnf install policycoreutils
Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfiles to label filesystems, newrole to switch roles, and so on.
The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The setroubleshoot-plugins package can be removed with the following command:
$ sudo dnf erase setroubleshoot-plugins
The SETroubleshoot service is an unnecessary daemon to have running on a server.
The SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The setroubleshoot-server package can be removed with the following command:
$ sudo dnf erase setroubleshoot-server
The SETroubleshoot service is an unnecessary daemon to have running on a server.
The SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The setroubleshoot package can be removed with the following command:
$ sudo dnf erase setroubleshoot
The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is removed or disabled.
By default, the SELinux boolean abrt_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the abrt_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P abrt_anon_write off
By default, the SELinux boolean abrt_handle_event is disabled.
If this setting is enabled, it should be disabled.
To disable the abrt_handle_event SELinux boolean, run the following command:
$ sudo setsebool -P abrt_handle_event off
By default, the SELinux boolean abrt_upload_watch_anon_write is enabled.
This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT)
to modify public files used for public file transfer services.
To disable the abrt_upload_watch_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P abrt_upload_watch_anon_write off
By default, the SELinux boolean antivirus_can_scan_system is disabled.
This setting should be enabled as it allows antivirus programs to read non-security
files on a system.
To enable the antivirus_can_scan_system SELinux boolean, run the following command:
$ sudo setsebool -P antivirus_can_scan_system on
By default, the SELinux boolean antivirus_use_jit is disabled.
If this setting is enabled, it should be disabled.
To disable the antivirus_use_jit SELinux boolean, run the following command:
$ sudo setsebool -P antivirus_use_jit off
By default, the SELinux boolean auditadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the auditadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P auditadm_exec_content on
By default, the SELinux boolean authlogin_nsswitch_use_ldap is disabled.
If this setting is enabled, it should be disabled.
To disable the authlogin_nsswitch_use_ldap SELinux boolean, run the following command:
$ sudo setsebool -P authlogin_nsswitch_use_ldap off
By default, the SELinux boolean authlogin_radius is disabled.
If this setting is enabled, it should be disabled.
To disable the authlogin_radius SELinux boolean, run the following command:
$ sudo setsebool -P authlogin_radius off
By default, the SELinux boolean authlogin_yubikey is disabled.
If this setting is enabled, it should be disabled.
To disable the authlogin_yubikey SELinux boolean, run the following command:
$ sudo setsebool -P authlogin_yubikey off
By default, the SELinux boolean awstats_purge_apache_log_files is disabled.
If this setting is enabled, it should be disabled.
To disable the awstats_purge_apache_log_files SELinux boolean, run the following command:
$ sudo setsebool -P awstats_purge_apache_log_files off
By default, the SELinux boolean boinc_execmem is enabled.
This setting should be disabled.
To disable the boinc_execmem SELinux boolean, run the following command:
$ sudo setsebool -P boinc_execmem off
By default, the SELinux boolean cdrecord_read_content is disabled.
If this setting is enabled, it should be disabled.
To disable the cdrecord_read_content SELinux boolean, run the following command:
$ sudo setsebool -P cdrecord_read_content off
By default, the SELinux boolean cluster_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the cluster_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P cluster_can_network_connect off
By default, the SELinux boolean cluster_manage_all_files is disabled.
If this setting is enabled, it should be disabled.
To disable the cluster_manage_all_files SELinux boolean, run the following command:
$ sudo setsebool -P cluster_manage_all_files off
By default, the SELinux boolean cluster_use_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the cluster_use_execmem SELinux boolean, run the following command:
$ sudo setsebool -P cluster_use_execmem off
By default, the SELinux boolean cobbler_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the cobbler_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P cobbler_anon_write off
By default, the SELinux boolean cobbler_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the cobbler_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P cobbler_can_network_connect off
By default, the SELinux boolean cobbler_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the cobbler_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P cobbler_use_cifs off
By default, the SELinux boolean cobbler_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the cobbler_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P cobbler_use_nfs off
By default, the SELinux boolean collectd_tcp_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the collectd_tcp_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P collectd_tcp_network_connect off
By default, the SELinux boolean condor_tcp_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the condor_tcp_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P condor_tcp_network_connect off
By default, the SELinux boolean conman_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the conman_can_network SELinux boolean, run the following command:
$ sudo setsebool -P conman_can_network off
By default, the SELinux boolean container_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the container_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P container_connect_any off
By default, the SELinux boolean cron_can_relabel is disabled.
If this setting is enabled, it should be disabled.
To disable the cron_can_relabel SELinux boolean, run the following command:
$ sudo setsebool -P cron_can_relabel off
By default, the SELinux boolean cron_userdomain_transition is enabled.
This setting should be enabled as end user cron jobs run in their default
associated user domain(s) instead of the general cronjob domain.
To enable the cron_userdomain_transition SELinux boolean, run the following command:
$ sudo setsebool -P cron_userdomain_transition on
By default, the SELinux boolean cups_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the cups_execmem SELinux boolean, run the following command:
$ sudo setsebool -P cups_execmem off
By default, the SELinux boolean cvs_read_shadow is disabled.
If this setting is enabled, it should be disabled.
To disable the cvs_read_shadow SELinux boolean, run the following command:
$ sudo setsebool -P cvs_read_shadow off
By default, the SELinux boolean daemons_dump_core is disabled.
If this setting is enabled, it should be disabled.
To disable the daemons_dump_core SELinux boolean, run the following command:
$ sudo setsebool -P daemons_dump_core off
By default, the SELinux boolean daemons_enable_cluster_mode is disabled.
If this setting is enabled, it should be disabled.
To disable the daemons_enable_cluster_mode SELinux boolean, run the following command:
$ sudo setsebool -P daemons_enable_cluster_mode off
By default, the SELinux boolean daemons_use_tcp_wrapper is disabled.
If this setting is enabled, it should be disabled.
To disable the daemons_use_tcp_wrapper SELinux boolean, run the following command:
$ sudo setsebool -P daemons_use_tcp_wrapper off
By default, the SELinux boolean daemons_use_tty is disabled.
If this setting is enabled, it should be disabled.
To disable the daemons_use_tty SELinux boolean, run the following command:
$ sudo setsebool -P daemons_use_tty off
By default, the SELinux boolean dbadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the dbadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P dbadm_exec_content on
By default, the SELinux boolean dbadm_manage_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the dbadm_manage_user_files SELinux boolean, run the following command:
$ sudo setsebool -P dbadm_manage_user_files off
By default, the SELinux boolean dbadm_read_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the dbadm_read_user_files SELinux boolean, run the following command:
$ sudo setsebool -P dbadm_read_user_files off
By default, the SELinux boolean deny_execmem is disabled.
This setting should be configured to $var_deny_execmem.
To set the deny_execmem SELinux boolean, run the following command:
$ sudo setsebool -P deny_execmem $var_deny_execmem
Allowing user domain applications to map a memory region as both writable and executable makes them more susceptible to data execution attacks.
By default, the SELinux boolean deny_ptrace is disabled.
If this setting is enabled, it should be disabled.
To disable the deny_ptrace SELinux boolean, run the following command:
$ sudo setsebool -P deny_ptrace off
By default, the SELinux boolean dhcpc_exec_iptables is disabled.
If this setting is enabled, it should be disabled.
To disable the dhcpc_exec_iptables SELinux boolean, run the following command:
$ sudo setsebool -P dhcpc_exec_iptables off
By default, the SELinux boolean dhcpd_use_ldap is disabled.
If this setting is enabled, it should be disabled.
To disable the dhcpd_use_ldap SELinux boolean, run the following command:
$ sudo setsebool -P dhcpd_use_ldap off
By default, the SELinux boolean domain_fd_use is enabled.
If this setting is disabled, it should be enabled.
To enable the domain_fd_use SELinux boolean, run the following command:
$ sudo setsebool -P domain_fd_use on
By default, the SELinux boolean domain_kernel_load_modules is disabled.
If this setting is enabled, it should be disabled.
To disable the domain_kernel_load_modules SELinux boolean, run the following command:
$ sudo setsebool -P domain_kernel_load_modules off
By default, the SELinux boolean entropyd_use_audio is enabled.
This setting should be disabled as it uses audit input to generate entropy.
To disable the entropyd_use_audio SELinux boolean, run the following command:
$ sudo setsebool -P entropyd_use_audio off
By default, the SELinux boolean exim_can_connect_db is disabled.
If this setting is enabled, it should be disabled.
To disable the exim_can_connect_db SELinux boolean, run the following command:
$ sudo setsebool -P exim_can_connect_db off
By default, the SELinux boolean exim_manage_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the exim_manage_user_files SELinux boolean, run the following command:
$ sudo setsebool -P exim_manage_user_files off
By default, the SELinux boolean exim_read_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the exim_read_user_files SELinux boolean, run the following command:
$ sudo setsebool -P exim_read_user_files off
By default, the SELinux boolean fcron_crond is disabled.
If this setting is enabled, it should be disabled.
To disable the fcron_crond SELinux boolean, run the following command:
$ sudo setsebool -P fcron_crond off
By default, the SELinux boolean fenced_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the fenced_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P fenced_can_network_connect off
By default, the SELinux boolean fenced_can_ssh is disabled.
If this setting is enabled, it should be disabled.
To disable the fenced_can_ssh SELinux boolean, run the following command:
$ sudo setsebool -P fenced_can_ssh off
By default, the SELinux boolean fips_mode is enabled.
This allows all SELinux domains to execute in fips_mode.
If this setting is disabled, it should be enabled.
To enable the fips_mode SELinux boolean, run the following command:
$ sudo setsebool -P fips_mode on
By default, the SELinux boolean ftpd_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_anon_write off
By default, the SELinux boolean ftpd_connect_all_unreserved is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_connect_all_unreserved SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_connect_all_unreserved off
By default, the SELinux boolean ftpd_connect_db is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_connect_db SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_connect_db off
By default, the SELinux boolean ftpd_full_access is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_full_access SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_full_access off
By default, the SELinux boolean ftpd_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_use_cifs off
By default, the SELinux boolean ftpd_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_use_fusefs off
By default, the SELinux boolean ftpd_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_use_nfs off
By default, the SELinux boolean ftpd_use_passive_mode is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_use_passive_mode SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_use_passive_mode off
By default, the SELinux boolean git_cgi_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_cgi_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P git_cgi_enable_homedirs off
By default, the SELinux boolean git_cgi_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_cgi_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P git_cgi_use_cifs off
By default, the SELinux boolean git_cgi_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_cgi_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P git_cgi_use_nfs off
By default, the SELinux boolean git_session_bind_all_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the git_session_bind_all_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P git_session_bind_all_unreserved_ports off
By default, the SELinux boolean git_session_users is disabled.
If this setting is enabled, it should be disabled.
To disable the git_session_users SELinux boolean, run the following command:
$ sudo setsebool -P git_session_users off
By default, the SELinux boolean git_system_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_system_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P git_system_enable_homedirs off
By default, the SELinux boolean git_system_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_system_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P git_system_use_cifs off
By default, the SELinux boolean git_system_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_system_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P git_system_use_nfs off
By default, the SELinux boolean gitosis_can_sendmail is disabled.
If this setting is enabled, it should be disabled.
To disable the gitosis_can_sendmail SELinux boolean, run the following command:
$ sudo setsebool -P gitosis_can_sendmail off
By default, the SELinux boolean glance_api_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the glance_api_can_network SELinux boolean, run the following command:
$ sudo setsebool -P glance_api_can_network off
By default, the SELinux boolean glance_use_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the glance_use_execmem SELinux boolean, run the following command:
$ sudo setsebool -P glance_use_execmem off
By default, the SELinux boolean glance_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the glance_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P glance_use_fusefs off
By default, the SELinux boolean global_ssp is disabled.
If this setting is enabled, it should be disabled.
To disable the global_ssp SELinux boolean, run the following command:
$ sudo setsebool -P global_ssp off
By default, the SELinux boolean gluster_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the gluster_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P gluster_anon_write off
By default, the SELinux boolean gluster_export_all_ro is disabled.
If this setting is enabled, it should be disabled.
To disable the gluster_export_all_ro SELinux boolean, run the following command:
$ sudo setsebool -P gluster_export_all_ro off
By default, the SELinux boolean gluster_export_all_rw is enabled.
If GlusterFS is in use, this setting should be enabled. Otherwise,
disable it.
To disable the gluster_export_all_rw SELinux boolean, run the following command:
$ sudo setsebool -P gluster_export_all_rw off
By default, the SELinux boolean gpg_web_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the gpg_web_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P gpg_web_anon_write off
By default, the SELinux boolean gssd_read_tmp is enabled.
This setting allows gssd processes to access Kerberos to read
TGTs in the temp directory. If this setting is disabled, it should
be enabled.
To enable the gssd_read_tmp SELinux boolean, run the following command:
$ sudo setsebool -P gssd_read_tmp on
By default, the SELinux boolean guest_exec_content is enabled.
This setting should be disabled as no guest accounts should be used.
To disable the guest_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P guest_exec_content off
By default, the SELinux boolean haproxy_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the haproxy_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P haproxy_connect_any off
By default, the SELinux boolean httpd_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P httpd_anon_write off
By default, the SELinux boolean httpd_builtin_scripting is enabled.
This setting should be disabled if httpd is not running php
or some similary scripting language.
To disable the httpd_builtin_scripting SELinux boolean, run the following command:
$ sudo setsebool -P httpd_builtin_scripting off
By default, the SELinux boolean httpd_can_check_spam is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_check_spam SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_check_spam off
By default, the SELinux boolean httpd_can_connect_ftp is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_connect_ftp SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_connect_ftp off
By default, the SELinux boolean httpd_can_connect_ldap is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_connect_ldap SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_connect_ldap off
By default, the SELinux boolean httpd_can_connect_mythtv is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_connect_mythtv SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_connect_mythtv off
By default, the SELinux boolean httpd_can_connect_zabbix is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_connect_zabbix SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_connect_zabbix off
By default, the SELinux boolean httpd_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_connect off
By default, the SELinux boolean httpd_can_network_connect_cobbler is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_connect_cobbler SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_connect_cobbler off
By default, the SELinux boolean httpd_can_network_connect_db is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_connect_db SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_connect_db off
By default, the SELinux boolean httpd_can_network_memcache is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_memcache SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_memcache off
By default, the SELinux boolean httpd_can_network_relay is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_relay SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_relay off
By default, the SELinux boolean httpd_can_sendmail is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_sendmail SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_sendmail off
By default, the SELinux boolean httpd_dbus_avahi is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_dbus_avahi SELinux boolean, run the following command:
$ sudo setsebool -P httpd_dbus_avahi off
By default, the SELinux boolean httpd_dbus_sssd is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_dbus_sssd SELinux boolean, run the following command:
$ sudo setsebool -P httpd_dbus_sssd off
By default, the SELinux boolean httpd_dontaudit_search_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_dontaudit_search_dirs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_dontaudit_search_dirs off
By default, the SELinux boolean httpd_enable_cgi is enabled.
This setting should be disabled unless httpd is used with CGI
scripting.
To disable the httpd_enable_cgi SELinux boolean, run the following command:
$ sudo setsebool -P httpd_enable_cgi off
By default, the SELinux boolean httpd_enable_ftp_server is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_enable_ftp_server SELinux boolean, run the following command:
$ sudo setsebool -P httpd_enable_ftp_server off
By default, the SELinux boolean httpd_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_enable_homedirs off
By default, the SELinux boolean httpd_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_execmem SELinux boolean, run the following command:
$ sudo setsebool -P httpd_execmem off
By default, the SELinux boolean httpd_graceful_shutdown is enabled.
If this setting is disabled, it should be enabled.
To enable the httpd_graceful_shutdown SELinux boolean, run the following command:
$ sudo setsebool -P httpd_graceful_shutdown on
By default, the SELinux boolean httpd_manage_ipa is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_manage_ipa SELinux boolean, run the following command:
$ sudo setsebool -P httpd_manage_ipa off
By default, the SELinux boolean httpd_mod_auth_ntlm_winbind is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_mod_auth_ntlm_winbind SELinux boolean, run the following command:
$ sudo setsebool -P httpd_mod_auth_ntlm_winbind off
By default, the SELinux boolean httpd_mod_auth_pam is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_mod_auth_pam SELinux boolean, run the following command:
$ sudo setsebool -P httpd_mod_auth_pam off
By default, the SELinux boolean httpd_read_user_content is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_read_user_content SELinux boolean, run the following command:
$ sudo setsebool -P httpd_read_user_content off
By default, the SELinux boolean httpd_run_ipa is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_run_ipa SELinux boolean, run the following command:
$ sudo setsebool -P httpd_run_ipa off
By default, the SELinux boolean httpd_run_preupgrade is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_run_preupgrade SELinux boolean, run the following command:
$ sudo setsebool -P httpd_run_preupgrade off
By default, the SELinux boolean httpd_run_stickshift is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_run_stickshift SELinux boolean, run the following command:
$ sudo setsebool -P httpd_run_stickshift off
By default, the SELinux boolean httpd_serve_cobbler_files is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_serve_cobbler_files SELinux boolean, run the following command:
$ sudo setsebool -P httpd_serve_cobbler_files off
By default, the SELinux boolean httpd_setrlimit is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_setrlimit SELinux boolean, run the following command:
$ sudo setsebool -P httpd_setrlimit off
By default, the SELinux boolean httpd_ssi_exec is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_ssi_exec SELinux boolean, run the following command:
$ sudo setsebool -P httpd_ssi_exec off
By default, the SELinux boolean httpd_sys_script_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_sys_script_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P httpd_sys_script_anon_write off
By default, the SELinux boolean httpd_tmp_exec is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_tmp_exec SELinux boolean, run the following command:
$ sudo setsebool -P httpd_tmp_exec off
By default, the SELinux boolean httpd_tty_comm is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_tty_comm SELinux boolean, run the following command:
$ sudo setsebool -P httpd_tty_comm off
By default, the SELinux boolean httpd_unified is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_unified SELinux boolean, run the following command:
$ sudo setsebool -P httpd_unified off
By default, the SELinux boolean httpd_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_cifs off
By default, the SELinux boolean httpd_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_fusefs off
By default, the SELinux boolean httpd_use_gpg is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_gpg SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_gpg off
By default, the SELinux boolean httpd_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_nfs off
By default, the SELinux boolean httpd_use_openstack is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_openstack SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_openstack off
By default, the SELinux boolean httpd_use_sasl is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_sasl SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_sasl off
By default, the SELinux boolean httpd_verify_dns is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_verify_dns SELinux boolean, run the following command:
$ sudo setsebool -P httpd_verify_dns off
By default, the SELinux boolean icecast_use_any_tcp_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the icecast_use_any_tcp_ports SELinux boolean, run the following command:
$ sudo setsebool -P icecast_use_any_tcp_ports off
By default, the SELinux boolean irc_use_any_tcp_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the irc_use_any_tcp_ports SELinux boolean, run the following command:
$ sudo setsebool -P irc_use_any_tcp_ports off
By default, the SELinux boolean irssi_use_full_network is disabled.
If this setting is enabled, it should be disabled.
To disable the irssi_use_full_network SELinux boolean, run the following command:
$ sudo setsebool -P irssi_use_full_network off
By default, the SELinux boolean kdumpgui_run_bootloader is disabled.
If this setting is enabled, it should be disabled.
To disable the kdumpgui_run_bootloader SELinux boolean, run the following command:
$ sudo setsebool -P kdumpgui_run_bootloader off
By default, the SELinux boolean kerberos_enabled is enabled.
If this setting is disabled, it should be enabled to allow confined
applications to run with Kerberos.
To enable the kerberos_enabled SELinux boolean, run the following command:
$ sudo setsebool -P kerberos_enabled on
By default, the SELinux boolean ksmtuned_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the ksmtuned_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P ksmtuned_use_cifs off
By default, the SELinux boolean ksmtuned_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the ksmtuned_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P ksmtuned_use_nfs off
By default, the SELinux boolean logadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the logadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P logadm_exec_content on
By default, the SELinux boolean logging_syslogd_can_sendmail is disabled.
If this setting is enabled, it should be disabled.
To disable the logging_syslogd_can_sendmail SELinux boolean, run the following command:
$ sudo setsebool -P logging_syslogd_can_sendmail off
By default, the SELinux boolean logging_syslogd_run_nagios_plugins is disabled.
If this setting is enabled, it should be disabled.
To disable the logging_syslogd_run_nagios_plugins SELinux boolean, run the following command:
$ sudo setsebool -P logging_syslogd_run_nagios_plugins off
By default, the SELinux boolean logging_syslogd_use_tty is enabled.
If this setting is disabled, it should be enabled as it allows syslog
the ability to read/write to terminal.
To enable the logging_syslogd_use_tty SELinux boolean, run the following command:
$ sudo setsebool -P logging_syslogd_use_tty on
By default, the SELinux boolean login_console_enabled is enabled.
If this setting is disabled, it should be enabled as it allows login from
/dev/console to a console session.
To enable the login_console_enabled SELinux boolean, run the following command:
$ sudo setsebool -P login_console_enabled on
By default, the SELinux boolean logrotate_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the logrotate_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P logrotate_use_nfs off
By default, the SELinux boolean logwatch_can_network_connect_mail is disabled.
If this setting is enabled, it should be disabled.
To disable the logwatch_can_network_connect_mail SELinux boolean, run the following command:
$ sudo setsebool -P logwatch_can_network_connect_mail off
By default, the SELinux boolean lsmd_plugin_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the lsmd_plugin_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P lsmd_plugin_connect_any off
By default, the SELinux boolean mailman_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the mailman_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P mailman_use_fusefs off
By default, the SELinux boolean mcelog_client is disabled.
If this setting is enabled, it should be disabled.
To disable the mcelog_client SELinux boolean, run the following command:
$ sudo setsebool -P mcelog_client off
By default, the SELinux boolean mcelog_exec_scripts is enabled.
If this setting is disabled, it should be enabled.
To enable the mcelog_exec_scripts SELinux boolean, run the following command:
$ sudo setsebool -P mcelog_exec_scripts on
By default, the SELinux boolean mcelog_foreground is disabled.
If this setting is enabled, it should be disabled.
To disable the mcelog_foreground SELinux boolean, run the following command:
$ sudo setsebool -P mcelog_foreground off
By default, the SELinux boolean mcelog_server is disabled.
If this setting is enabled, it should be disabled.
To disable the mcelog_server SELinux boolean, run the following command:
$ sudo setsebool -P mcelog_server off
By default, the SELinux boolean minidlna_read_generic_user_content is disabled.
If this setting is enabled, it should be disabled.
To disable the minidlna_read_generic_user_content SELinux boolean, run the following command:
$ sudo setsebool -P minidlna_read_generic_user_content off
By default, the SELinux boolean mmap_low_allowed is disabled.
If this setting is enabled, it should be disabled.
To disable the mmap_low_allowed SELinux boolean, run the following command:
$ sudo setsebool -P mmap_low_allowed off
By default, the SELinux boolean mock_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the mock_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P mock_enable_homedirs off
By default, the SELinux boolean mount_anyfile is enabled.
If this setting is disabled, it should be enabled to allow any file
or directory to be mounted.
To enable the mount_anyfile SELinux boolean, run the following command:
$ sudo setsebool -P mount_anyfile on
By default, the SELinux boolean mozilla_plugin_bind_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_bind_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_bind_unreserved_ports off
By default, the SELinux boolean mozilla_plugin_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_can_network_connect off
By default, the SELinux boolean mozilla_plugin_use_bluejeans is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_use_bluejeans SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_use_bluejeans off
By default, the SELinux boolean mozilla_plugin_use_gps is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_use_gps SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_use_gps off
By default, the SELinux boolean mozilla_plugin_use_spice is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_use_spice SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_use_spice off
By default, the SELinux boolean mozilla_read_content is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_read_content SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_read_content off
By default, the SELinux boolean mpd_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the mpd_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P mpd_enable_homedirs off
By default, the SELinux boolean mpd_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the mpd_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P mpd_use_cifs off
By default, the SELinux boolean mpd_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the mpd_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P mpd_use_nfs off
By default, the SELinux boolean mplayer_execstack is disabled.
If this setting is enabled, it should be disabled.
To disable the mplayer_execstack SELinux boolean, run the following command:
$ sudo setsebool -P mplayer_execstack off
By default, the SELinux boolean mysql_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the mysql_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P mysql_connect_any off
By default, the SELinux boolean nagios_run_pnp4nagios is disabled.
If this setting is enabled, it should be disabled.
To disable the nagios_run_pnp4nagios SELinux boolean, run the following command:
$ sudo setsebool -P nagios_run_pnp4nagios off
By default, the SELinux boolean nagios_run_sudo is disabled.
If this setting is enabled, it should be disabled.
To disable the nagios_run_sudo SELinux boolean, run the following command:
$ sudo setsebool -P nagios_run_sudo off
By default, the SELinux boolean named_tcp_bind_http_port is disabled.
If this setting is enabled, it should be disabled.
To disable the named_tcp_bind_http_port SELinux boolean, run the following command:
$ sudo setsebool -P named_tcp_bind_http_port off
By default, the SELinux boolean named_write_master_zones is disabled.
If this setting is enabled, it should be disabled.
To disable the named_write_master_zones SELinux boolean, run the following command:
$ sudo setsebool -P named_write_master_zones off
By default, the SELinux boolean neutron_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the neutron_can_network SELinux boolean, run the following command:
$ sudo setsebool -P neutron_can_network off
By default, the SELinux boolean nfs_export_all_ro is enabled.
If this setting is disabled, it should be enabled as it allows NFS to
export read-only mounts.
To enable the nfs_export_all_ro SELinux boolean, run the following command:
$ sudo setsebool -P nfs_export_all_ro on
By default, the SELinux boolean nfs_export_all_rw is enabled.
If this setting is disabled, it should be enabled as it allows NFS to
export read/write mounts.
To enable the nfs_export_all_rw SELinux boolean, run the following command:
$ sudo setsebool -P nfs_export_all_rw on
By default, the SELinux boolean nfsd_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the nfsd_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P nfsd_anon_write off
By default, the SELinux boolean nis_enabled is disabled.
If this setting is enabled, it should be disabled.
To disable the nis_enabled SELinux boolean, run the following command:
$ sudo setsebool -P nis_enabled off
By default, the SELinux boolean nscd_use_shm is enabled.
If this setting is disabled, it should be enabled to allow nscd
to use shared memory.
To enable the nscd_use_shm SELinux boolean, run the following command:
$ sudo setsebool -P nscd_use_shm on
By default, the SELinux boolean openshift_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the openshift_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P openshift_use_nfs off
By default, the SELinux boolean openvpn_can_network_connect is enabled.
This setting should be disabled.
To disable the openvpn_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P openvpn_can_network_connect off
By default, the SELinux boolean openvpn_enable_homedirs is enabled.
This setting should be disabled.
To disable the openvpn_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P openvpn_enable_homedirs off
By default, the SELinux boolean openvpn_run_unconfined is disabled.
If this setting is enabled, it should be disabled.
To disable the openvpn_run_unconfined SELinux boolean, run the following command:
$ sudo setsebool -P openvpn_run_unconfined off
By default, the SELinux boolean pcp_bind_all_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the pcp_bind_all_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P pcp_bind_all_unreserved_ports off
By default, the SELinux boolean pcp_read_generic_logs is disabled.
If this setting is enabled, it should be disabled.
To disable the pcp_read_generic_logs SELinux boolean, run the following command:
$ sudo setsebool -P pcp_read_generic_logs off
By default, the SELinux boolean piranha_lvs_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the piranha_lvs_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P piranha_lvs_can_network_connect off
By default, the SELinux boolean polipo_connect_all_unreserved is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_connect_all_unreserved SELinux boolean, run the following command:
$ sudo setsebool -P polipo_connect_all_unreserved off
By default, the SELinux boolean polipo_session_bind_all_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_session_bind_all_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P polipo_session_bind_all_unreserved_ports off
By default, the SELinux boolean polipo_session_users is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_session_users SELinux boolean, run the following command:
$ sudo setsebool -P polipo_session_users off
By default, the SELinux boolean polipo_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P polipo_use_cifs off
By default, the SELinux boolean polipo_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P polipo_use_nfs off
By default, the SELinux boolean polyinstantiation_enabled is disabled.
This setting should be configured to $var_polyinstantiation_enabled.
To set the polyinstantiation_enabled SELinux boolean, run the following command:
$ sudo setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled
By default, the SELinux boolean postfix_local_write_mail_spool is enabled.
If this setting is disabled, it should be enabled as it allows Postfix to write
to the mail spool directories.
To enable the postfix_local_write_mail_spool SELinux boolean, run the following command:
$ sudo setsebool -P postfix_local_write_mail_spool on
By default, the SELinux boolean postgresql_can_rsync is disabled.
If this setting is enabled, it should be disabled.
To disable the postgresql_can_rsync SELinux boolean, run the following command:
$ sudo setsebool -P postgresql_can_rsync off
By default, the SELinux boolean postgresql_selinux_transmit_client_label is disabled.
If this setting is enabled, it should be disabled.
To disable the postgresql_selinux_transmit_client_label SELinux boolean, run the following command:
$ sudo setsebool -P postgresql_selinux_transmit_client_label off
By default, the SELinux boolean postgresql_selinux_unconfined_dbadm is enabled.
If this setting is disabled, it should be enabled as it allows Database Administrators to
execute Data Manipulation Language (DML) statements.
To enable the postgresql_selinux_unconfined_dbadm SELinux boolean, run the following command:
$ sudo setsebool -P postgresql_selinux_unconfined_dbadm on
By default, the SELinux boolean postgresql_selinux_users_ddl is enabled.
If this setting is disabled, it should be enabled as it allows Database Administrators to
execute Data Definition Language (DDL) statements.
To enable the postgresql_selinux_users_ddl SELinux boolean, run the following command:
$ sudo setsebool -P postgresql_selinux_users_ddl on
By default, the SELinux boolean pppd_can_insmod is disabled.
If this setting is enabled, it should be disabled.
To disable the pppd_can_insmod SELinux boolean, run the following command:
$ sudo setsebool -P pppd_can_insmod off
By default, the SELinux boolean pppd_for_user is disabled.
If this setting is enabled, it should be disabled.
To disable the pppd_for_user SELinux boolean, run the following command:
$ sudo setsebool -P pppd_for_user off
By default, the SELinux boolean privoxy_connect_any is enabled.
This setting should be disabled.
To disable the privoxy_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P privoxy_connect_any off
By default, the SELinux boolean prosody_bind_http_port is disabled.
If this setting is enabled, it should be disabled.
To disable the prosody_bind_http_port SELinux boolean, run the following command:
$ sudo setsebool -P prosody_bind_http_port off
By default, the SELinux boolean puppetagent_manage_all_files is disabled.
If this setting is enabled, it should be disabled.
To disable the puppetagent_manage_all_files SELinux boolean, run the following command:
$ sudo setsebool -P puppetagent_manage_all_files off
By default, the SELinux boolean puppetmaster_use_db is disabled.
If this setting is enabled, it should be disabled.
To disable the puppetmaster_use_db SELinux boolean, run the following command:
$ sudo setsebool -P puppetmaster_use_db off
By default, the SELinux boolean racoon_read_shadow is disabled.
If this setting is enabled, it should be disabled.
To disable the racoon_read_shadow SELinux boolean, run the following command:
$ sudo setsebool -P racoon_read_shadow off
By default, the SELinux boolean rsync_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the rsync_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P rsync_anon_write off
By default, the SELinux boolean rsync_client is disabled.
If this setting is enabled, it should be disabled.
To disable the rsync_client SELinux boolean, run the following command:
$ sudo setsebool -P rsync_client off
By default, the SELinux boolean rsync_export_all_ro is disabled.
If this setting is enabled, it should be disabled.
To disable the rsync_export_all_ro SELinux boolean, run the following command:
$ sudo setsebool -P rsync_export_all_ro off
By default, the SELinux boolean rsync_full_access is disabled.
If this setting is enabled, it should be disabled.
To disable the rsync_full_access SELinux boolean, run the following command:
$ sudo setsebool -P rsync_full_access off
By default, the SELinux boolean samba_create_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_create_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P samba_create_home_dirs off
By default, the SELinux boolean samba_domain_controller is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_domain_controller SELinux boolean, run the following command:
$ sudo setsebool -P samba_domain_controller off
By default, the SELinux boolean samba_enable_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_enable_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P samba_enable_home_dirs off
By default, the SELinux boolean samba_export_all_ro is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_export_all_ro SELinux boolean, run the following command:
$ sudo setsebool -P samba_export_all_ro off
By default, the SELinux boolean samba_export_all_rw is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_export_all_rw SELinux boolean, run the following command:
$ sudo setsebool -P samba_export_all_rw off
By default, the SELinux boolean samba_load_libgfapi is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_load_libgfapi SELinux boolean, run the following command:
$ sudo setsebool -P samba_load_libgfapi off
By default, the SELinux boolean samba_portmapper is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_portmapper SELinux boolean, run the following command:
$ sudo setsebool -P samba_portmapper off
By default, the SELinux boolean samba_run_unconfined is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_run_unconfined SELinux boolean, run the following command:
$ sudo setsebool -P samba_run_unconfined off
By default, the SELinux boolean sanlock_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the sanlock_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P sanlock_use_fusefs off
By default, the SELinux boolean sanlock_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the sanlock_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P sanlock_use_nfs off
By default, the SELinux boolean sanlock_use_samba is disabled.
If this setting is enabled, it should be disabled.
To disable the sanlock_use_samba SELinux boolean, run the following command:
$ sudo setsebool -P sanlock_use_samba off
By default, the SELinux boolean saslauthd_read_shadow is disabled.
If this setting is enabled, it should be disabled.
To disable the saslauthd_read_shadow SELinux boolean, run the following command:
$ sudo setsebool -P saslauthd_read_shadow off
By default, the SELinux boolean secadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the secadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P secadm_exec_content on
By default, the SELinux boolean secure_mode is disabled.
If this setting is enabled, it should be disabled.
To disable the secure_mode SELinux boolean, run the following command:
$ sudo setsebool -P secure_mode off
By default, the SELinux boolean secure_mode_insmod is disabled.
This setting should be configured to $var_secure_mode_insmod.
To set the secure_mode_insmod SELinux boolean, run the following command:
$ sudo setsebool -P secure_mode_insmod $var_secure_mode_insmod
By default, the SELinux boolean secure_mode_policyload is disabled.
If this setting is enabled, it should be disabled.
To disable the secure_mode_policyload SELinux boolean, run the following command:
$ sudo setsebool -P secure_mode_policyload off
By default, the SELinux boolean selinuxuser_direct_dri_enabled is enabled.
If XWindows is not installed or used on the system, this setting should be disabled.
Otherwise, enable it.
To disable the selinuxuser_direct_dri_enabled SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_direct_dri_enabled off
By default, the SELinux boolean selinuxuser_execheap is disabled.
When enabled this boolean is enabled it allows selinuxusers to execute code from the heap.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_execheap SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execheap off
Disabling code execution from the heap blocks buffer overflow attacks.
By default, the SELinux boolean selinuxuser_execmod is enabled.
If this setting is disabled, it should be enabled.
To enable the selinuxuser_execmod SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execmod on
By default, the SELinux boolean selinuxuser_execstack is enabled.
This setting should be disabled as unconfined executables should not be able
to make their stack executable.
To disable the selinuxuser_execstack SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execstack off
Disabling code execution from the stack blocks buffer overflow attacks.
By default, the SELinux boolean selinuxuser_mysql_connect_enabled is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_mysql_connect_enabled SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_mysql_connect_enabled off
By default, the SELinux boolean selinuxuser_ping is enabled.
If this setting is disabled, it should be enabled as it allows confined users
to use ping and traceroute which is helpful for network troubleshooting.
To enable the selinuxuser_ping SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_ping on
By default, the SELinux boolean selinuxuser_postgresql_connect_enabled is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_postgresql_connect_enabled SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_postgresql_connect_enabled off
By default, the SELinux boolean selinuxuser_rw_noexattrfile is enabled.
This setting should be disabled as users should not be able to read/write files
on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc.
To disable the selinuxuser_rw_noexattrfile SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_rw_noexattrfile off
By default, the SELinux boolean selinuxuser_tcp_server is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_tcp_server SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_tcp_server off
By default, the SELinux boolean selinuxuser_udp_server is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_udp_server SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_udp_server off
By default, the SELinux boolean selinuxuser_use_ssh_chroot is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_use_ssh_chroot off
By default, the SELinux boolean sge_domain_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the sge_domain_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P sge_domain_can_network_connect off
By default, the SELinux boolean sge_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the sge_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P sge_use_nfs off
By default, the SELinux boolean smartmon_3ware is disabled.
If this setting is enabled, it should be disabled.
To disable the smartmon_3ware SELinux boolean, run the following command:
$ sudo setsebool -P smartmon_3ware off
By default, the SELinux boolean smbd_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the smbd_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P smbd_anon_write off
By default, the SELinux boolean spamassassin_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the spamassassin_can_network SELinux boolean, run the following command:
$ sudo setsebool -P spamassassin_can_network off
By default, the SELinux boolean spamd_enable_home_dirs is enabled.
If this setting is disabled, it should be enabled.
To enable the spamd_enable_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P spamd_enable_home_dirs on
By default, the SELinux boolean squid_connect_any is enabled.
This setting should be disabled as squid should only connect on specified
ports.
To disable the squid_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P squid_connect_any off
By default, the SELinux boolean squid_use_tproxy is disabled.
If this setting is enabled, it should be disabled.
To disable the squid_use_tproxy SELinux boolean, run the following command:
$ sudo setsebool -P squid_use_tproxy off
By default, the SELinux boolean ssh_chroot_rw_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the ssh_chroot_rw_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P ssh_chroot_rw_homedirs off
By default, the SELinux boolean ssh_keysign is disabled.
If this setting is enabled, it should be disabled.
To disable the ssh_keysign SELinux boolean, run the following command:
$ sudo setsebool -P ssh_keysign off
By default, the SELinux boolean ssh_sysadm_login is disabled.
If this setting is enabled, it should be disabled.
To disable the ssh_sysadm_login SELinux boolean, run the following command:
$ sudo setsebool -P ssh_sysadm_login off
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
By default, the SELinux boolean staff_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the staff_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P staff_exec_content on
By default, the SELinux boolean staff_use_svirt is disabled.
If this setting is enabled, it should be disabled.
To disable the staff_use_svirt SELinux boolean, run the following command:
$ sudo setsebool -P staff_use_svirt off
By default, the SELinux boolean swift_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the swift_can_network SELinux boolean, run the following command:
$ sudo setsebool -P swift_can_network off
By default, the SELinux boolean sysadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the sysadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P sysadm_exec_content on
By default, the SELinux boolean telepathy_connect_all_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the telepathy_connect_all_ports SELinux boolean, run the following command:
$ sudo setsebool -P telepathy_connect_all_ports off
By default, the SELinux boolean telepathy_tcp_connect_generic_network_ports is enabled.
This setting should be disabled as telepathy should not connect to any generic network
ports.
To disable the telepathy_tcp_connect_generic_network_ports SELinux boolean, run the following command:
$ sudo setsebool -P telepathy_tcp_connect_generic_network_ports off
By default, the SELinux boolean tftp_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the tftp_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P tftp_anon_write off
By default, the SELinux boolean tftp_home_dir is disabled.
If this setting is enabled, it should be disabled.
To disable the tftp_home_dir SELinux boolean, run the following command:
$ sudo setsebool -P tftp_home_dir off
By default, the SELinux boolean tmpreaper_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the tmpreaper_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P tmpreaper_use_nfs off
By default, the SELinux boolean tmpreaper_use_samba is disabled.
If this setting is enabled, it should be disabled.
To disable the tmpreaper_use_samba SELinux boolean, run the following command:
$ sudo setsebool -P tmpreaper_use_samba off
By default, the SELinux boolean tor_bind_all_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the tor_bind_all_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P tor_bind_all_unreserved_ports off
By default, the SELinux boolean tor_can_network_relay is disabled.
If this setting is enabled, it should be disabled.
To disable the tor_can_network_relay SELinux boolean, run the following command:
$ sudo setsebool -P tor_can_network_relay off
By default, the SELinux boolean unconfined_chrome_sandbox_transition is enabled.
If this setting is disabled, it should be enabled.
To enable the unconfined_chrome_sandbox_transition SELinux boolean, run the following command:
$ sudo setsebool -P unconfined_chrome_sandbox_transition on
By default, the SELinux boolean unconfined_login is enabled.
If this setting is disabled, it should be enabled.
To enable the unconfined_login SELinux boolean, run the following command:
$ sudo setsebool -P unconfined_login on
By default, the SELinux boolean unconfined_mozilla_plugin_transition is enabled.
If this setting is disabled, it should be enabled.
To enable the unconfined_mozilla_plugin_transition SELinux boolean, run the following command:
$ sudo setsebool -P unconfined_mozilla_plugin_transition on
By default, the SELinux boolean unprivuser_use_svirt is disabled.
If this setting is enabled, it should be disabled.
To disable the unprivuser_use_svirt SELinux boolean, run the following command:
$ sudo setsebool -P unprivuser_use_svirt off
By default, the SELinux boolean use_ecryptfs_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the use_ecryptfs_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P use_ecryptfs_home_dirs off
By default, the SELinux boolean use_fusefs_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the use_fusefs_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P use_fusefs_home_dirs off
By default, the SELinux boolean use_lpd_server is disabled.
If this setting is enabled, it should be disabled.
To disable the use_lpd_server SELinux boolean, run the following command:
$ sudo setsebool -P use_lpd_server off
By default, the SELinux boolean use_nfs_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the use_nfs_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P use_nfs_home_dirs off
By default, the SELinux boolean use_samba_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the use_samba_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P use_samba_home_dirs off
By default, the SELinux boolean user_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the user_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P user_exec_content on
By default, the SELinux boolean varnishd_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the varnishd_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P varnishd_connect_any off
By default, the SELinux boolean virt_read_qemu_ga_data is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_read_qemu_ga_data SELinux boolean, run the following command:
$ sudo setsebool -P virt_read_qemu_ga_data off
By default, the SELinux boolean virt_rw_qemu_ga_data is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_rw_qemu_ga_data SELinux boolean, run the following command:
$ sudo setsebool -P virt_rw_qemu_ga_data off
By default, the SELinux boolean virt_sandbox_use_all_caps is enabled.
This setting is disabled as containers should not run with privileges.
To disable the virt_sandbox_use_all_caps SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_all_caps off
By default, the SELinux boolean virt_sandbox_use_audit is enabled.
If this setting is disabled, it should be enabled to allow sandboxed containers
to send audit messages.
To enable the virt_sandbox_use_audit SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_audit on
By default, the SELinux boolean virt_sandbox_use_mknod is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_sandbox_use_mknod SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_mknod off
By default, the SELinux boolean virt_sandbox_use_netlink is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_sandbox_use_netlink SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_netlink off
By default, the SELinux boolean virt_sandbox_use_sys_admin is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_sandbox_use_sys_admin SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_sys_admin off
By default, the SELinux boolean virt_transition_userdomain is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_transition_userdomain SELinux boolean, run the following command:
$ sudo setsebool -P virt_transition_userdomain off
By default, the SELinux boolean virt_use_comm is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_comm SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_comm off
By default, the SELinux boolean virt_use_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_execmem SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_execmem off
By default, the SELinux boolean virt_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_fusefs off
By default, the SELinux boolean virt_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_nfs off
By default, the SELinux boolean virt_use_rawip is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_rawip SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_rawip off
By default, the SELinux boolean virt_use_samba is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_samba SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_samba off
By default, the SELinux boolean virt_use_sanlock is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_sanlock SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_sanlock off
By default, the SELinux boolean virt_use_usb is enabled.
This setting should be disabled.
To disable the virt_use_usb SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_usb off
By default, the SELinux boolean virt_use_xserver is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_xserver SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_xserver off
By default, the SELinux boolean webadm_manage_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the webadm_manage_user_files SELinux boolean, run the following command:
$ sudo setsebool -P webadm_manage_user_files off
By default, the SELinux boolean webadm_read_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the webadm_read_user_files SELinux boolean, run the following command:
$ sudo setsebool -P webadm_read_user_files off
By default, the SELinux boolean wine_mmap_zero_ignore is disabled.
If this setting is enabled, it should be disabled.
To disable the wine_mmap_zero_ignore SELinux boolean, run the following command:
$ sudo setsebool -P wine_mmap_zero_ignore off
By default, the SELinux boolean xdm_bind_vnc_tcp_port is disabled.
If this setting is enabled, it should be disabled.
To disable the xdm_bind_vnc_tcp_port SELinux boolean, run the following command:
$ sudo setsebool -P xdm_bind_vnc_tcp_port off
By default, the SELinux boolean xdm_exec_bootloader is disabled.
If this setting is enabled, it should be disabled.
To disable the xdm_exec_bootloader SELinux boolean, run the following command:
$ sudo setsebool -P xdm_exec_bootloader off
By default, the SELinux boolean xdm_sysadm_login is disabled.
If this setting is enabled, it should be disabled.
To disable the xdm_sysadm_login SELinux boolean, run the following command:
$ sudo setsebool -P xdm_sysadm_login off
By default, the SELinux boolean xdm_write_home is disabled.
If this setting is enabled, it should be disabled.
To disable the xdm_write_home SELinux boolean, run the following command:
$ sudo setsebool -P xdm_write_home off
By default, the SELinux boolean xen_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the xen_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P xen_use_nfs off
By default, the SELinux boolean xend_run_blktap is enabled.
If this setting is disabled, it should be enabled.
To enable the xend_run_blktap SELinux boolean, run the following command:
$ sudo setsebool -P xend_run_blktap on
By default, the SELinux boolean xend_run_qemu is enabled.
If this setting is disabled, it should be enabled.
To enable the xend_run_qemu SELinux boolean, run the following command:
$ sudo setsebool -P xend_run_qemu on
By default, the SELinux boolean xguest_connect_network is enabled.
This setting should be disabled as guest users should not be able to configure
NetworkManager.
To disable the xguest_connect_network SELinux boolean, run the following command:
$ sudo setsebool -P xguest_connect_network off
By default, the SELinux boolean xguest_exec_content is enabled.
This setting should be disabled as guest users should not be able to run
executables.
To disable the xguest_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P xguest_exec_content off
By default, the SELinux boolean xguest_mount_media is enabled.
This setting should be disabled as guest users should not be able to mount
any media.
To disable the xguest_mount_media SELinux boolean, run the following command:
$ sudo setsebool -P xguest_mount_media off
By default, the SELinux boolean xguest_use_bluetooth is enabled.
This setting should be disabled as guests users should not be able to access
or use bluetooth.
To disable the xguest_use_bluetooth SELinux boolean, run the following command:
$ sudo setsebool -P xguest_use_bluetooth off
By default, the SELinux boolean xserver_clients_write_xshm is disabled.
If this setting is enabled, it should be disabled.
To disable the xserver_clients_write_xshm SELinux boolean, run the following command:
$ sudo setsebool -P xserver_clients_write_xshm off
By default, the SELinux boolean xserver_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the xserver_execmem SELinux boolean, run the following command:
$ sudo setsebool -P xserver_execmem off
By default, the SELinux boolean xserver_object_manager is disabled.
If this setting is enabled, it should be disabled.
To disable the xserver_object_manager SELinux boolean, run the following command:
$ sudo setsebool -P xserver_object_manager off
By default, the SELinux boolean zabbix_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the zabbix_can_network SELinux boolean, run the following command:
$ sudo setsebool -P zabbix_can_network off
By default, the SELinux boolean zarafa_setrlimit is disabled.
If this setting is enabled, it should be disabled.
To disable the zarafa_setrlimit SELinux boolean, run the following command:
$ sudo setsebool -P zarafa_setrlimit off
By default, the SELinux boolean zebra_write_config is disabled.
If this setting is enabled, it should be disabled.
To disable the zebra_write_config SELinux boolean, run the following command:
$ sudo setsebool -P zebra_write_config off
By default, the SELinux boolean zoneminder_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the zoneminder_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P zoneminder_anon_write off
By default, the SELinux boolean zoneminder_run_sudo is disabled.
If this setting is enabled, it should be disabled.
To disable the zoneminder_run_sudo SELinux boolean, run the following command:
$ sudo setsebool -P zoneminder_run_sudo off
Device files, which are used for communication with important system
resources, should be labeled with proper SELinux types. If any device files
carry the SELinux type device_t or unlabeled_t, report the
bug so that policy can be corrected. Supply information about what the
device is and what programs use it.
To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"It should produce no output in a well-configured system.
If a device file carries the SELinux type device_t or unlabeled_t, then SELinux cannot properly restrict access to the device file.
Configure the operating system to confine SELinux users to roles that conform to least privilege. Use the following command to map the "staff_u" SELinux user to the "staff_r" and "sysadm_r" roles:
$ sudo semanage user -m staff_u -R staff_r -R sysadm_r
$ sudo semanage -m user_u -R user_r
Preventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
Privileged functions include, for example,
establishing accounts, performing system integrity checks, or administering
cryptographic key management activities. Non-privileged users are individuals
who do not possess appropriate authorizations. Circumventing intrusion detection
and prevention mechanisms or malicious code protection mechanisms are examples
of privileged functions that require protection from non-privileged users.
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the unconfined_service_t context.
To check for unconfined daemons, run the following command:
$ sudo ps -eZ | grep "unconfined_service_t"It should produce no output in a well-configured system.
Daemons which run with the unconfined_service_t context may cause AVC denials, or allow privileges that the daemon does not require.
Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. Edit a file in the /etc/sudoers.d directory with the following command:
sudo visudo -f /etc/sudoers.d/CUSTOM_FILEUse the following example to build the CUSTOM_FILE in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command:
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
Preventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
Privileged functions include, for example,
establishing accounts, performing system integrity checks, or administering
cryptographic key management activities. Non-privileged users are individuals
who do not possess appropriate authorizations. Circumventing intrusion detection
and prevention mechanisms or malicious code protection mechanisms are examples
of privileged functions that require protection from non-privileged users.
The SELinux state should be set to enforcing or permissive at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing or permissive mode:
SELINUX=enforcingOR
SELINUX=permissive
Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux controls without a system reboot. It also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.
The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:
SELINUXTYPE=$var_selinux_policy_nameOther policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
$var_selinux_policy_name.
The SELinux state should be set to $var_selinux_state at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=$var_selinux_state
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t).
$ sudo semanage login -m -s sysadm_u USERor
$ sudo semanage login -m -s staff_u USER
$ sudo semanage login -m -s user_u USER
Preventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
Privileged functions include, for example,
establishing accounts, performing system integrity checks, or administering
cryptographic key management activities. Non-privileged users are individuals
who do not possess appropriate authorizations. Circumventing intrusion detection
and prevention mechanisms or malicious code protection mechanisms are examples
of privileged functions that require protection from non-privileged users.