Rules Related To 'selinux'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Ensure SELinux Not Disabled in the kernel arguments

coreos_enable_selinux_kernel_argument

Description

SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.

Rationale

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Verify User Who Owns /etc/selinux Directory

directory_owner_etc_selinux

Description

To properly set the owner of /etc/selinux, run the command:

$ sudo chown root /etc/selinux 

Rationale

The ownership of the /etc/selinux directory by the root user is important because this directory hosts SELinux configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.

Verify Group Who Owns /etc/selinux Directory

directory_groupowner_etc_selinux

Description

To properly set the group owner of /etc/selinux, run the command:

$ sudo chgrp root /etc/selinux

Rationale

The ownership of the /etc/selinux directory by the root group is important because this directory hosts SELinux configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.

Verify Permissions On /etc/selinux Directory

directory_permissions_etc_selinux

Description

To properly set the permissions of /etc/selinux, run the command:

$ sudo chmod 0755 /etc/selinux

Rationale

Setting correct permissions on the /etc/selinux directory is important because this directory hosts SELinux configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the SELinux configuration.

Ensure SELinux Not Disabled in /etc/default/grub

grub2_enable_selinux

Description

SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.

Rationale

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Verify Group Who Owns /etc/sestatus.conf File

file_groupowner_etc_sestatus_conf

Description

To properly set the group owner of /etc/sestatus.conf, run the command:

$ sudo chgrp root /etc/sestatus.conf

Rationale

The ownership of the /etc/sestatus.conf file by the root group is important because this file hosts SELinux configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.

Verify User Who Owns /etc/sestatus.conf File

file_owner_etc_sestatus_conf

Description

To properly set the owner of /etc/sestatus.conf, run the command:

$ sudo chown root /etc/sestatus.conf 

Rationale

The ownership of the /etc/sestatus.conf file by the root user is important because this file hosts SELinux configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the SELinux configuration.

Verify Permissions On /etc/sestatus.conf File

file_permissions_etc_sestatus_conf

Description

To properly set the permissions of /etc/sestatus.conf, run the command:

$ sudo chmod 0644 /etc/sestatus.conf

Rationale

Setting correct permissions on the /etc/sestatus.conf file is important because this file hosts SELinux configuration. Protection of this file is critical for system security. Restricting the permissions ensures exclusive control of the SELinux configuration.

Install libselinux Package

package_libselinux_installed

Description

The libselinux package can be installed with the following command:

$ sudo yum install libselinux

Rationale

Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The libselinux package contains the core library of the Security-enhanced Linux system.

Uninstall mcstrans Package

package_mcstrans_removed

Description

The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf. The mcstrans package can be removed with the following command:

$ sudo yum erase mcstrans

Rationale

Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system.

Install policycoreutils-python-utils package

package_policycoreutils-python-utils_installed

Description

The policycoreutils-python-utils package can be installed with the following command:

$ sudo yum install policycoreutils-python-utils

Rationale

This package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.

Install policycoreutils Package

package_policycoreutils_installed

Description

The policycoreutils package can be installed with the following command:

$ sudo yum install policycoreutils

Rationale

Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfiles to label filesystems, newrole to switch roles, and so on.

Uninstall setroubleshoot-plugins Package

package_setroubleshoot-plugins_removed

Description

The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The setroubleshoot-plugins package can be removed with the following command:

$ sudo yum erase setroubleshoot-plugins

Rationale

The SETroubleshoot service is an unnecessary daemon to have running on a server.

Uninstall setroubleshoot-server Package

package_setroubleshoot-server_removed

Description

The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The setroubleshoot-server package can be removed with the following command:

$ sudo yum erase setroubleshoot-server

Rationale

The SETroubleshoot service is an unnecessary daemon to have running on a server.

Uninstall setroubleshoot Package

package_setroubleshoot_removed

Description

The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The setroubleshoot package can be removed with the following command:

$ sudo yum erase setroubleshoot

Rationale

The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is removed or disabled.

Disable the abrt_anon_write SELinux Boolean

sebool_abrt_anon_write

Description

By default, the SELinux boolean abrt_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the abrt_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P abrt_anon_write off

Rationale

Disable the abrt_handle_event SELinux Boolean

sebool_abrt_handle_event

Description

By default, the SELinux boolean abrt_handle_event is disabled. If this setting is enabled, it should be disabled. To disable the abrt_handle_event SELinux boolean, run the following command:

$ sudo setsebool -P abrt_handle_event off

Rationale

Disable the abrt_upload_watch_anon_write SELinux Boolean

sebool_abrt_upload_watch_anon_write

Description

By default, the SELinux boolean abrt_upload_watch_anon_write is enabled. This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT) to modify public files used for public file transfer services. To disable the abrt_upload_watch_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P abrt_upload_watch_anon_write off

Rationale

Enable the antivirus_can_scan_system SELinux Boolean

sebool_antivirus_can_scan_system

Description

By default, the SELinux boolean antivirus_can_scan_system is disabled. This setting should be enabled as it allows antivirus programs to read non-security files on a system. To enable the antivirus_can_scan_system SELinux boolean, run the following command:

$ sudo setsebool -P antivirus_can_scan_system on

Rationale

Disable the antivirus_use_jit SELinux Boolean

sebool_antivirus_use_jit

Description

By default, the SELinux boolean antivirus_use_jit is disabled. If this setting is enabled, it should be disabled. To disable the antivirus_use_jit SELinux boolean, run the following command:

$ sudo setsebool -P antivirus_use_jit off

Rationale

Enable the auditadm_exec_content SELinux Boolean

sebool_auditadm_exec_content

Description

By default, the SELinux boolean auditadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the auditadm_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P auditadm_exec_content on

Rationale

Disable the authlogin_nsswitch_use_ldap SELinux Boolean

sebool_authlogin_nsswitch_use_ldap

Description

By default, the SELinux boolean authlogin_nsswitch_use_ldap is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_nsswitch_use_ldap SELinux boolean, run the following command:

$ sudo setsebool -P authlogin_nsswitch_use_ldap off

Rationale

Disable the authlogin_radius SELinux Boolean

sebool_authlogin_radius

Description

By default, the SELinux boolean authlogin_radius is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_radius SELinux boolean, run the following command:

$ sudo setsebool -P authlogin_radius off

Rationale

Disable the authlogin_yubikey SELinux Boolean

sebool_authlogin_yubikey

Description

By default, the SELinux boolean authlogin_yubikey is disabled. If this setting is enabled, it should be disabled. To disable the authlogin_yubikey SELinux boolean, run the following command:

$ sudo setsebool -P authlogin_yubikey off

Rationale

Disable the awstats_purge_apache_log_files SELinux Boolean

sebool_awstats_purge_apache_log_files

Description

By default, the SELinux boolean awstats_purge_apache_log_files is disabled. If this setting is enabled, it should be disabled. To disable the awstats_purge_apache_log_files SELinux boolean, run the following command:

$ sudo setsebool -P awstats_purge_apache_log_files off

Rationale

Disable the boinc_execmem SELinux Boolean

sebool_boinc_execmem

Description

By default, the SELinux boolean boinc_execmem is enabled. This setting should be disabled. To disable the boinc_execmem SELinux boolean, run the following command:

$ sudo setsebool -P boinc_execmem off

Rationale

Disable the cdrecord_read_content SELinux Boolean

sebool_cdrecord_read_content

Description

By default, the SELinux boolean cdrecord_read_content is disabled. If this setting is enabled, it should be disabled. To disable the cdrecord_read_content SELinux boolean, run the following command:

$ sudo setsebool -P cdrecord_read_content off

Rationale

Disable the cluster_can_network_connect SELinux Boolean

sebool_cluster_can_network_connect

Description

By default, the SELinux boolean cluster_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the cluster_can_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P cluster_can_network_connect off

Rationale

Disable the cluster_manage_all_files SELinux Boolean

sebool_cluster_manage_all_files

Description

By default, the SELinux boolean cluster_manage_all_files is disabled. If this setting is enabled, it should be disabled. To disable the cluster_manage_all_files SELinux boolean, run the following command:

$ sudo setsebool -P cluster_manage_all_files off

Rationale

Disable the cluster_use_execmem SELinux Boolean

sebool_cluster_use_execmem

Description

By default, the SELinux boolean cluster_use_execmem is disabled. If this setting is enabled, it should be disabled. To disable the cluster_use_execmem SELinux boolean, run the following command:

$ sudo setsebool -P cluster_use_execmem off

Rationale

Disable the cobbler_anon_write SELinux Boolean

sebool_cobbler_anon_write

Description

By default, the SELinux boolean cobbler_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P cobbler_anon_write off

Rationale

Disable the cobbler_can_network_connect SELinux Boolean

sebool_cobbler_can_network_connect

Description

By default, the SELinux boolean cobbler_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_can_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P cobbler_can_network_connect off

Rationale

Disable the cobbler_use_cifs SELinux Boolean

sebool_cobbler_use_cifs

Description

By default, the SELinux boolean cobbler_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_use_cifs SELinux boolean, run the following command:

$ sudo setsebool -P cobbler_use_cifs off

Rationale

Disable the cobbler_use_nfs SELinux Boolean

sebool_cobbler_use_nfs

Description

By default, the SELinux boolean cobbler_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the cobbler_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P cobbler_use_nfs off

Rationale

Disable the collectd_tcp_network_connect SELinux Boolean

sebool_collectd_tcp_network_connect

Description

By default, the SELinux boolean collectd_tcp_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the collectd_tcp_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P collectd_tcp_network_connect off

Rationale

Disable the condor_tcp_network_connect SELinux Boolean

sebool_condor_tcp_network_connect

Description

By default, the SELinux boolean condor_tcp_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the condor_tcp_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P condor_tcp_network_connect off

Rationale

Disable the conman_can_network SELinux Boolean

sebool_conman_can_network

Description

By default, the SELinux boolean conman_can_network is disabled. If this setting is enabled, it should be disabled. To disable the conman_can_network SELinux boolean, run the following command:

$ sudo setsebool -P conman_can_network off

Rationale

Disable the container_connect_any SELinux Boolean

sebool_container_connect_any

Description

By default, the SELinux boolean container_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the container_connect_any SELinux boolean, run the following command:

$ sudo setsebool -P container_connect_any off

Rationale

Disable the cron_can_relabel SELinux Boolean

sebool_cron_can_relabel

Description

By default, the SELinux boolean cron_can_relabel is disabled. If this setting is enabled, it should be disabled. To disable the cron_can_relabel SELinux boolean, run the following command:

$ sudo setsebool -P cron_can_relabel off

Rationale

Disable the cron_system_cronjob_use_shares SELinux Boolean

sebool_cron_system_cronjob_use_shares

Description

By default, the SELinux boolean cron_system_cronjob_use_shares is disabled. If this setting is enabled, it should be disabled. To disable the cron_system_cronjob_use_shares SELinux boolean, run the following command:

$ sudo setsebool -P cron_system_cronjob_use_shares off

Rationale

Enable the cron_userdomain_transition SELinux Boolean

sebool_cron_userdomain_transition

Description

By default, the SELinux boolean cron_userdomain_transition is enabled. This setting should be enabled as end user cron jobs run in their default associated user domain(s) instead of the general cronjob domain. To enable the cron_userdomain_transition SELinux boolean, run the following command:

$ sudo setsebool -P cron_userdomain_transition on

Rationale

Disable the cups_execmem SELinux Boolean

sebool_cups_execmem

Description

By default, the SELinux boolean cups_execmem is disabled. If this setting is enabled, it should be disabled. To disable the cups_execmem SELinux boolean, run the following command:

$ sudo setsebool -P cups_execmem off

Rationale

Disable the cvs_read_shadow SELinux Boolean

sebool_cvs_read_shadow

Description

By default, the SELinux boolean cvs_read_shadow is disabled. If this setting is enabled, it should be disabled. To disable the cvs_read_shadow SELinux boolean, run the following command:

$ sudo setsebool -P cvs_read_shadow off

Rationale

Disable the daemons_dump_core SELinux Boolean

sebool_daemons_dump_core

Description

By default, the SELinux boolean daemons_dump_core is disabled. If this setting is enabled, it should be disabled. To disable the daemons_dump_core SELinux boolean, run the following command:

$ sudo setsebool -P daemons_dump_core off

Rationale

Disable the daemons_enable_cluster_mode SELinux Boolean

sebool_daemons_enable_cluster_mode

Description

By default, the SELinux boolean daemons_enable_cluster_mode is disabled. If this setting is enabled, it should be disabled. To disable the daemons_enable_cluster_mode SELinux boolean, run the following command:

$ sudo setsebool -P daemons_enable_cluster_mode off

Rationale

Disable the daemons_use_tcp_wrapper SELinux Boolean

sebool_daemons_use_tcp_wrapper

Description

By default, the SELinux boolean daemons_use_tcp_wrapper is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tcp_wrapper SELinux boolean, run the following command:

$ sudo setsebool -P daemons_use_tcp_wrapper off

Rationale

Disable the daemons_use_tty SELinux Boolean

sebool_daemons_use_tty

Description

By default, the SELinux boolean daemons_use_tty is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tty SELinux boolean, run the following command:

$ sudo setsebool -P daemons_use_tty off

Rationale

Enable the dbadm_exec_content SELinux Boolean

sebool_dbadm_exec_content

Description

By default, the SELinux boolean dbadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the dbadm_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P dbadm_exec_content on

Rationale

Disable the dbadm_manage_user_files SELinux Boolean

sebool_dbadm_manage_user_files

Description

By default, the SELinux boolean dbadm_manage_user_files is disabled. If this setting is enabled, it should be disabled. To disable the dbadm_manage_user_files SELinux boolean, run the following command:

$ sudo setsebool -P dbadm_manage_user_files off

Rationale

Disable the dbadm_read_user_files SELinux Boolean

sebool_dbadm_read_user_files

Description

By default, the SELinux boolean dbadm_read_user_files is disabled. If this setting is enabled, it should be disabled. To disable the dbadm_read_user_files SELinux boolean, run the following command:

$ sudo setsebool -P dbadm_read_user_files off

Rationale

Configure the deny_execmem SELinux Boolean

sebool_deny_execmem

Description

By default, the SELinux boolean deny_execmem is disabled. This setting should be configured to $var_deny_execmem.
To set the deny_execmem SELinux boolean, run the following command:

$ sudo setsebool -P deny_execmem $var_deny_execmem

Rationale

Allowing user domain applications to map a memory region as both writable and executable makes them more susceptible to data execution attacks.

Disable the deny_ptrace SELinux Boolean

sebool_deny_ptrace

Description

By default, the SELinux boolean deny_ptrace is disabled. If this setting is enabled, it should be disabled. To disable the deny_ptrace SELinux boolean, run the following command:

$ sudo setsebool -P deny_ptrace off

Rationale

Disable the dhcpc_exec_iptables SELinux Boolean

sebool_dhcpc_exec_iptables

Description

By default, the SELinux boolean dhcpc_exec_iptables is disabled. If this setting is enabled, it should be disabled. To disable the dhcpc_exec_iptables SELinux boolean, run the following command:

$ sudo setsebool -P dhcpc_exec_iptables off

Rationale

Disable the dhcpd_use_ldap SELinux Boolean

sebool_dhcpd_use_ldap

Description

By default, the SELinux boolean dhcpd_use_ldap is disabled. If this setting is enabled, it should be disabled. To disable the dhcpd_use_ldap SELinux boolean, run the following command:

$ sudo setsebool -P dhcpd_use_ldap off

Rationale

Enable the domain_fd_use SELinux Boolean

sebool_domain_fd_use

Description

By default, the SELinux boolean domain_fd_use is enabled. If this setting is disabled, it should be enabled. To enable the domain_fd_use SELinux boolean, run the following command:

$ sudo setsebool -P domain_fd_use on

Rationale

Disable the domain_kernel_load_modules SELinux Boolean

sebool_domain_kernel_load_modules

Description

By default, the SELinux boolean domain_kernel_load_modules is disabled. If this setting is enabled, it should be disabled. To disable the domain_kernel_load_modules SELinux boolean, run the following command:

$ sudo setsebool -P domain_kernel_load_modules off

Rationale

Disable the entropyd_use_audio SELinux Boolean

sebool_entropyd_use_audio

Description

By default, the SELinux boolean entropyd_use_audio is enabled. This setting should be disabled as it uses audit input to generate entropy. To disable the entropyd_use_audio SELinux boolean, run the following command:

$ sudo setsebool -P entropyd_use_audio off

Rationale

Disable the exim_can_connect_db SELinux Boolean

sebool_exim_can_connect_db

Description

By default, the SELinux boolean exim_can_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the exim_can_connect_db SELinux boolean, run the following command:

$ sudo setsebool -P exim_can_connect_db off

Rationale

Disable the exim_manage_user_files SELinux Boolean

sebool_exim_manage_user_files

Description

By default, the SELinux boolean exim_manage_user_files is disabled. If this setting is enabled, it should be disabled. To disable the exim_manage_user_files SELinux boolean, run the following command:

$ sudo setsebool -P exim_manage_user_files off

Rationale

Disable the exim_read_user_files SELinux Boolean

sebool_exim_read_user_files

Description

By default, the SELinux boolean exim_read_user_files is disabled. If this setting is enabled, it should be disabled. To disable the exim_read_user_files SELinux boolean, run the following command:

$ sudo setsebool -P exim_read_user_files off

Rationale

Disable the fcron_crond SELinux Boolean

sebool_fcron_crond

Description

By default, the SELinux boolean fcron_crond is disabled. If this setting is enabled, it should be disabled. To disable the fcron_crond SELinux boolean, run the following command:

$ sudo setsebool -P fcron_crond off

Rationale

Disable the fenced_can_network_connect SELinux Boolean

sebool_fenced_can_network_connect

Description

By default, the SELinux boolean fenced_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the fenced_can_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P fenced_can_network_connect off

Rationale

Disable the fenced_can_ssh SELinux Boolean

sebool_fenced_can_ssh

Description

By default, the SELinux boolean fenced_can_ssh is disabled. If this setting is enabled, it should be disabled. To disable the fenced_can_ssh SELinux boolean, run the following command:

$ sudo setsebool -P fenced_can_ssh off

Rationale

Enable the fips_mode SELinux Boolean

sebool_fips_mode

Description

By default, the SELinux boolean fips_mode is enabled. This allows all SELinux domains to execute in fips_mode. If this setting is disabled, it should be enabled. To enable the fips_mode SELinux boolean, run the following command:

$ sudo setsebool -P fips_mode on

Rationale

Disable the ftpd_anon_write SELinux Boolean

sebool_ftpd_anon_write

Description

By default, the SELinux boolean ftpd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P ftpd_anon_write off

Rationale

Disable the ftpd_connect_all_unreserved SELinux Boolean

sebool_ftpd_connect_all_unreserved

Description

By default, the SELinux boolean ftpd_connect_all_unreserved is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_connect_all_unreserved SELinux boolean, run the following command:

$ sudo setsebool -P ftpd_connect_all_unreserved off

Rationale

Disable the ftpd_connect_db SELinux Boolean

sebool_ftpd_connect_db

Description

By default, the SELinux boolean ftpd_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_connect_db SELinux boolean, run the following command:

$ sudo setsebool -P ftpd_connect_db off

Rationale

Disable the ftpd_full_access SELinux Boolean

sebool_ftpd_full_access

Description

By default, the SELinux boolean ftpd_full_access is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_full_access SELinux boolean, run the following command:

$ sudo setsebool -P ftpd_full_access off

Rationale

Disable the ftpd_use_cifs SELinux Boolean

sebool_ftpd_use_cifs

Description

By default, the SELinux boolean ftpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_cifs SELinux boolean, run the following command:

$ sudo setsebool -P ftpd_use_cifs off

Rationale

Disable the ftpd_use_fusefs SELinux Boolean

sebool_ftpd_use_fusefs

Description

By default, the SELinux boolean ftpd_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_fusefs SELinux boolean, run the following command:

$ sudo setsebool -P ftpd_use_fusefs off

Rationale

Disable the ftpd_use_nfs SELinux Boolean

sebool_ftpd_use_nfs

Description

By default, the SELinux boolean ftpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P ftpd_use_nfs off

Rationale

Disable the ftpd_use_passive_mode SELinux Boolean

sebool_ftpd_use_passive_mode

Description

By default, the SELinux boolean ftpd_use_passive_mode is disabled. If this setting is enabled, it should be disabled. To disable the ftpd_use_passive_mode SELinux boolean, run the following command:

$ sudo setsebool -P ftpd_use_passive_mode off

Rationale

Disable the git_cgi_enable_homedirs SELinux Boolean

sebool_git_cgi_enable_homedirs

Description

By default, the SELinux boolean git_cgi_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the git_cgi_enable_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P git_cgi_enable_homedirs off

Rationale

Disable the git_cgi_use_cifs SELinux Boolean

sebool_git_cgi_use_cifs

Description

By default, the SELinux boolean git_cgi_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the git_cgi_use_cifs SELinux boolean, run the following command:

$ sudo setsebool -P git_cgi_use_cifs off

Rationale

Disable the git_cgi_use_nfs SELinux Boolean

sebool_git_cgi_use_nfs

Description

By default, the SELinux boolean git_cgi_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the git_cgi_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P git_cgi_use_nfs off

Rationale

Disable the git_session_bind_all_unreserved_ports SELinux Boolean

sebool_git_session_bind_all_unreserved_ports

Description

By default, the SELinux boolean git_session_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the git_session_bind_all_unreserved_ports SELinux boolean, run the following command:

$ sudo setsebool -P git_session_bind_all_unreserved_ports off

Rationale

Disable the git_session_users SELinux Boolean

sebool_git_session_users

Description

By default, the SELinux boolean git_session_users is disabled. If this setting is enabled, it should be disabled. To disable the git_session_users SELinux boolean, run the following command:

$ sudo setsebool -P git_session_users off

Rationale

Disable the git_system_enable_homedirs SELinux Boolean

sebool_git_system_enable_homedirs

Description

By default, the SELinux boolean git_system_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the git_system_enable_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P git_system_enable_homedirs off

Rationale

Disable the git_system_use_cifs SELinux Boolean

sebool_git_system_use_cifs

Description

By default, the SELinux boolean git_system_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the git_system_use_cifs SELinux boolean, run the following command:

$ sudo setsebool -P git_system_use_cifs off

Rationale

Disable the git_system_use_nfs SELinux Boolean

sebool_git_system_use_nfs

Description

By default, the SELinux boolean git_system_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the git_system_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P git_system_use_nfs off

Rationale

Disable the gitosis_can_sendmail SELinux Boolean

sebool_gitosis_can_sendmail

Description

By default, the SELinux boolean gitosis_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the gitosis_can_sendmail SELinux boolean, run the following command:

$ sudo setsebool -P gitosis_can_sendmail off

Rationale

Disable the glance_api_can_network SELinux Boolean

sebool_glance_api_can_network

Description

By default, the SELinux boolean glance_api_can_network is disabled. If this setting is enabled, it should be disabled. To disable the glance_api_can_network SELinux boolean, run the following command:

$ sudo setsebool -P glance_api_can_network off

Rationale

Disable the glance_use_execmem SELinux Boolean

sebool_glance_use_execmem

Description

By default, the SELinux boolean glance_use_execmem is disabled. If this setting is enabled, it should be disabled. To disable the glance_use_execmem SELinux boolean, run the following command:

$ sudo setsebool -P glance_use_execmem off

Rationale

Disable the glance_use_fusefs SELinux Boolean

sebool_glance_use_fusefs

Description

By default, the SELinux boolean glance_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the glance_use_fusefs SELinux boolean, run the following command:

$ sudo setsebool -P glance_use_fusefs off

Rationale

Disable the global_ssp SELinux Boolean

sebool_global_ssp

Description

By default, the SELinux boolean global_ssp is disabled. If this setting is enabled, it should be disabled. To disable the global_ssp SELinux boolean, run the following command:

$ sudo setsebool -P global_ssp off

Rationale

Disable the gluster_anon_write SELinux Boolean

sebool_gluster_anon_write

Description

By default, the SELinux boolean gluster_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the gluster_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P gluster_anon_write off

Rationale

Disable the gluster_export_all_ro SELinux Boolean

sebool_gluster_export_all_ro

Description

By default, the SELinux boolean gluster_export_all_ro is disabled. If this setting is enabled, it should be disabled. To disable the gluster_export_all_ro SELinux boolean, run the following command:

$ sudo setsebool -P gluster_export_all_ro off

Rationale

Configure the gluster_export_all_rw SELinux Boolean

sebool_gluster_export_all_rw

Description

By default, the SELinux boolean gluster_export_all_rw is enabled. If GlusterFS is in use, this setting should be enabled. Otherwise, disable it. To disable the gluster_export_all_rw SELinux boolean, run the following command:

$ sudo setsebool -P gluster_export_all_rw off

Rationale

Disable the gpg_web_anon_write SELinux Boolean

sebool_gpg_web_anon_write

Description

By default, the SELinux boolean gpg_web_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the gpg_web_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P gpg_web_anon_write off

Rationale

Enable the gssd_read_tmp SELinux Boolean

sebool_gssd_read_tmp

Description

By default, the SELinux boolean gssd_read_tmp is enabled. This setting allows gssd processes to access Kerberos to read TGTs in the temp directory. If this setting is disabled, it should be enabled. To enable the gssd_read_tmp SELinux boolean, run the following command:

$ sudo setsebool -P gssd_read_tmp on

Rationale

Disable the guest_exec_content SELinux Boolean

sebool_guest_exec_content

Description

By default, the SELinux boolean guest_exec_content is enabled. This setting should be disabled as no guest accounts should be used. To disable the guest_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P guest_exec_content off

Rationale

Disable the haproxy_connect_any SELinux Boolean

sebool_haproxy_connect_any

Description

By default, the SELinux boolean haproxy_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the haproxy_connect_any SELinux boolean, run the following command:

$ sudo setsebool -P haproxy_connect_any off

Rationale

Disable the httpd_anon_write SELinux Boolean

sebool_httpd_anon_write

Description

By default, the SELinux boolean httpd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the httpd_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P httpd_anon_write off

Rationale

Configure the httpd_builtin_scripting SELinux Boolean

sebool_httpd_builtin_scripting

Description

By default, the SELinux boolean httpd_builtin_scripting is enabled. This setting should be disabled if httpd is not running php or some similary scripting language. To disable the httpd_builtin_scripting SELinux boolean, run the following command:

$ sudo setsebool -P httpd_builtin_scripting off

Rationale

Disable the httpd_can_check_spam SELinux Boolean

sebool_httpd_can_check_spam

Description

By default, the SELinux boolean httpd_can_check_spam is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_check_spam SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_check_spam off

Rationale

Disable the httpd_can_connect_ftp SELinux Boolean

sebool_httpd_can_connect_ftp

Description

By default, the SELinux boolean httpd_can_connect_ftp is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ftp SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_connect_ftp off

Rationale

Disable the httpd_can_connect_ldap SELinux Boolean

sebool_httpd_can_connect_ldap

Description

By default, the SELinux boolean httpd_can_connect_ldap is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ldap SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_connect_ldap off

Rationale

Disable the httpd_can_connect_mythtv SELinux Boolean

sebool_httpd_can_connect_mythtv

Description

By default, the SELinux boolean httpd_can_connect_mythtv is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_mythtv SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_connect_mythtv off

Rationale

Disable the httpd_can_connect_zabbix SELinux Boolean

sebool_httpd_can_connect_zabbix

Description

By default, the SELinux boolean httpd_can_connect_zabbix is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_zabbix SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_connect_zabbix off

Rationale

Disable the httpd_can_network_connect SELinux Boolean

sebool_httpd_can_network_connect

Description

By default, the SELinux boolean httpd_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_connect off

Rationale

Disable the httpd_can_network_connect_cobbler SELinux Boolean

sebool_httpd_can_network_connect_cobbler

Description

By default, the SELinux boolean httpd_can_network_connect_cobbler is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_cobbler SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_connect_cobbler off

Rationale

Disable the httpd_can_network_connect_db SELinux Boolean

sebool_httpd_can_network_connect_db

Description

By default, the SELinux boolean httpd_can_network_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_db SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_connect_db off

Rationale

Disable the httpd_can_network_memcache SELinux Boolean

sebool_httpd_can_network_memcache

Description

By default, the SELinux boolean httpd_can_network_memcache is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_memcache SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_memcache off

Rationale

Disable the httpd_can_network_relay SELinux Boolean

sebool_httpd_can_network_relay

Description

By default, the SELinux boolean httpd_can_network_relay is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_relay SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_relay off

Rationale

Disable the httpd_can_sendmail SELinux Boolean

sebool_httpd_can_sendmail

Description

By default, the SELinux boolean httpd_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_sendmail SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_sendmail off

Rationale

Disable the httpd_dbus_avahi SELinux Boolean

sebool_httpd_dbus_avahi

Description

By default, the SELinux boolean httpd_dbus_avahi is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dbus_avahi SELinux boolean, run the following command:

$ sudo setsebool -P httpd_dbus_avahi off

Rationale

Disable the httpd_dbus_sssd SELinux Boolean

sebool_httpd_dbus_sssd

Description

By default, the SELinux boolean httpd_dbus_sssd is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dbus_sssd SELinux boolean, run the following command:

$ sudo setsebool -P httpd_dbus_sssd off

Rationale

Disable the httpd_dontaudit_search_dirs SELinux Boolean

sebool_httpd_dontaudit_search_dirs

Description

By default, the SELinux boolean httpd_dontaudit_search_dirs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dontaudit_search_dirs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_dontaudit_search_dirs off

Rationale

Configure the httpd_enable_cgi SELinux Boolean

sebool_httpd_enable_cgi

Description

By default, the SELinux boolean httpd_enable_cgi is enabled. This setting should be disabled unless httpd is used with CGI scripting. To disable the httpd_enable_cgi SELinux boolean, run the following command:

$ sudo setsebool -P httpd_enable_cgi off

Rationale

Disable the httpd_enable_ftp_server SELinux Boolean

sebool_httpd_enable_ftp_server

Description

By default, the SELinux boolean httpd_enable_ftp_server is disabled. If this setting is enabled, it should be disabled. To disable the httpd_enable_ftp_server SELinux boolean, run the following command:

$ sudo setsebool -P httpd_enable_ftp_server off

Rationale

Disable the httpd_enable_homedirs SELinux Boolean

sebool_httpd_enable_homedirs

Description

By default, the SELinux boolean httpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_enable_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_enable_homedirs off

Rationale

Disable the httpd_execmem SELinux Boolean

sebool_httpd_execmem

Description

By default, the SELinux boolean httpd_execmem is disabled. If this setting is enabled, it should be disabled. To disable the httpd_execmem SELinux boolean, run the following command:

$ sudo setsebool -P httpd_execmem off

Rationale

Enable the httpd_graceful_shutdown SELinux Boolean

sebool_httpd_graceful_shutdown

Description

By default, the SELinux boolean httpd_graceful_shutdown is enabled. If this setting is disabled, it should be enabled. To enable the httpd_graceful_shutdown SELinux boolean, run the following command:

$ sudo setsebool -P httpd_graceful_shutdown on

Rationale

Disable the httpd_manage_ipa SELinux Boolean

sebool_httpd_manage_ipa

Description

By default, the SELinux boolean httpd_manage_ipa is disabled. If this setting is enabled, it should be disabled. To disable the httpd_manage_ipa SELinux boolean, run the following command:

$ sudo setsebool -P httpd_manage_ipa off

Rationale

Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean

sebool_httpd_mod_auth_ntlm_winbind

Description

By default, the SELinux boolean httpd_mod_auth_ntlm_winbind is disabled. If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_ntlm_winbind SELinux boolean, run the following command:

$ sudo setsebool -P httpd_mod_auth_ntlm_winbind off

Rationale

Disable the httpd_mod_auth_pam SELinux Boolean

sebool_httpd_mod_auth_pam

Description

By default, the SELinux boolean httpd_mod_auth_pam is disabled. If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_pam SELinux boolean, run the following command:

$ sudo setsebool -P httpd_mod_auth_pam off

Rationale

Disable the httpd_read_user_content SELinux Boolean

sebool_httpd_read_user_content

Description

By default, the SELinux boolean httpd_read_user_content is disabled. If this setting is enabled, it should be disabled. To disable the httpd_read_user_content SELinux boolean, run the following command:

$ sudo setsebool -P httpd_read_user_content off

Rationale

Disable the httpd_run_ipa SELinux Boolean

sebool_httpd_run_ipa

Description

By default, the SELinux boolean httpd_run_ipa is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_ipa SELinux boolean, run the following command:

$ sudo setsebool -P httpd_run_ipa off

Rationale

Disable the httpd_run_preupgrade SELinux Boolean

sebool_httpd_run_preupgrade

Description

By default, the SELinux boolean httpd_run_preupgrade is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_preupgrade SELinux boolean, run the following command:

$ sudo setsebool -P httpd_run_preupgrade off

Rationale

Disable the httpd_run_stickshift SELinux Boolean

sebool_httpd_run_stickshift

Description

By default, the SELinux boolean httpd_run_stickshift is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_stickshift SELinux boolean, run the following command:

$ sudo setsebool -P httpd_run_stickshift off

Rationale

Disable the httpd_serve_cobbler_files SELinux Boolean

sebool_httpd_serve_cobbler_files

Description

By default, the SELinux boolean httpd_serve_cobbler_files is disabled. If this setting is enabled, it should be disabled. To disable the httpd_serve_cobbler_files SELinux boolean, run the following command:

$ sudo setsebool -P httpd_serve_cobbler_files off

Rationale

Disable the httpd_setrlimit SELinux Boolean

sebool_httpd_setrlimit

Description

By default, the SELinux boolean httpd_setrlimit is disabled. If this setting is enabled, it should be disabled. To disable the httpd_setrlimit SELinux boolean, run the following command:

$ sudo setsebool -P httpd_setrlimit off

Rationale

Disable the httpd_ssi_exec SELinux Boolean

sebool_httpd_ssi_exec

Description

By default, the SELinux boolean httpd_ssi_exec is disabled. If this setting is enabled, it should be disabled. To disable the httpd_ssi_exec SELinux boolean, run the following command:

$ sudo setsebool -P httpd_ssi_exec off

Rationale

Disable the httpd_sys_script_anon_write SELinux Boolean

sebool_httpd_sys_script_anon_write

Description

By default, the SELinux boolean httpd_sys_script_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the httpd_sys_script_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P httpd_sys_script_anon_write off

Rationale

Disable the httpd_tmp_exec SELinux Boolean

sebool_httpd_tmp_exec

Description

By default, the SELinux boolean httpd_tmp_exec is disabled. If this setting is enabled, it should be disabled. To disable the httpd_tmp_exec SELinux boolean, run the following command:

$ sudo setsebool -P httpd_tmp_exec off

Rationale

Disable the httpd_tty_comm SELinux Boolean

sebool_httpd_tty_comm

Description

By default, the SELinux boolean httpd_tty_comm is disabled. If this setting is enabled, it should be disabled. To disable the httpd_tty_comm SELinux boolean, run the following command:

$ sudo setsebool -P httpd_tty_comm off

Rationale

Disable the httpd_unified SELinux Boolean

sebool_httpd_unified

Description

By default, the SELinux boolean httpd_unified is disabled. If this setting is enabled, it should be disabled. To disable the httpd_unified SELinux boolean, run the following command:

$ sudo setsebool -P httpd_unified off

Rationale

Disable the httpd_use_cifs SELinux Boolean

sebool_httpd_use_cifs

Description

By default, the SELinux boolean httpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_cifs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_cifs off

Rationale

Disable the httpd_use_fusefs SELinux Boolean

sebool_httpd_use_fusefs

Description

By default, the SELinux boolean httpd_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_fusefs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_fusefs off

Rationale

Disable the httpd_use_gpg SELinux Boolean

sebool_httpd_use_gpg

Description

By default, the SELinux boolean httpd_use_gpg is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_gpg SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_gpg off

Rationale

Disable the httpd_use_nfs SELinux Boolean

sebool_httpd_use_nfs

Description

By default, the SELinux boolean httpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_nfs off

Rationale

Disable the httpd_use_openstack SELinux Boolean

sebool_httpd_use_openstack

Description

By default, the SELinux boolean httpd_use_openstack is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_openstack SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_openstack off

Rationale

Disable the httpd_use_sasl SELinux Boolean

sebool_httpd_use_sasl

Description

By default, the SELinux boolean httpd_use_sasl is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_sasl SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_sasl off

Rationale

Disable the httpd_verify_dns SELinux Boolean

sebool_httpd_verify_dns

Description

By default, the SELinux boolean httpd_verify_dns is disabled. If this setting is enabled, it should be disabled. To disable the httpd_verify_dns SELinux boolean, run the following command:

$ sudo setsebool -P httpd_verify_dns off

Rationale

Disable the icecast_use_any_tcp_ports SELinux Boolean

sebool_icecast_use_any_tcp_ports

Description

By default, the SELinux boolean icecast_use_any_tcp_ports is disabled. If this setting is enabled, it should be disabled. To disable the icecast_use_any_tcp_ports SELinux boolean, run the following command:

$ sudo setsebool -P icecast_use_any_tcp_ports off

Rationale

Disable the irc_use_any_tcp_ports SELinux Boolean

sebool_irc_use_any_tcp_ports

Description

By default, the SELinux boolean irc_use_any_tcp_ports is disabled. If this setting is enabled, it should be disabled. To disable the irc_use_any_tcp_ports SELinux boolean, run the following command:

$ sudo setsebool -P irc_use_any_tcp_ports off

Rationale

Disable the irssi_use_full_network SELinux Boolean

sebool_irssi_use_full_network

Description

By default, the SELinux boolean irssi_use_full_network is disabled. If this setting is enabled, it should be disabled. To disable the irssi_use_full_network SELinux boolean, run the following command:

$ sudo setsebool -P irssi_use_full_network off

Rationale

Disable the kdumpgui_run_bootloader SELinux Boolean

sebool_kdumpgui_run_bootloader

Description

By default, the SELinux boolean kdumpgui_run_bootloader is disabled. If this setting is enabled, it should be disabled. To disable the kdumpgui_run_bootloader SELinux boolean, run the following command:

$ sudo setsebool -P kdumpgui_run_bootloader off

Rationale

Enable the kerberos_enabled SELinux Boolean

sebool_kerberos_enabled

Description

By default, the SELinux boolean kerberos_enabled is enabled. If this setting is disabled, it should be enabled to allow confined applications to run with Kerberos. To enable the kerberos_enabled SELinux boolean, run the following command:

$ sudo setsebool -P kerberos_enabled on

Rationale

Disable the ksmtuned_use_cifs SELinux Boolean

sebool_ksmtuned_use_cifs

Description

By default, the SELinux boolean ksmtuned_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the ksmtuned_use_cifs SELinux boolean, run the following command:

$ sudo setsebool -P ksmtuned_use_cifs off

Rationale

Disable the ksmtuned_use_nfs SELinux Boolean

sebool_ksmtuned_use_nfs

Description

By default, the SELinux boolean ksmtuned_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the ksmtuned_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P ksmtuned_use_nfs off

Rationale

Enable the logadm_exec_content SELinux Boolean

sebool_logadm_exec_content

Description

By default, the SELinux boolean logadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the logadm_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P logadm_exec_content on

Rationale

Disable the logging_syslogd_can_sendmail SELinux Boolean

sebool_logging_syslogd_can_sendmail

Description

By default, the SELinux boolean logging_syslogd_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the logging_syslogd_can_sendmail SELinux boolean, run the following command:

$ sudo setsebool -P logging_syslogd_can_sendmail off

Rationale

Disable the logging_syslogd_run_nagios_plugins SELinux Boolean

sebool_logging_syslogd_run_nagios_plugins

Description

By default, the SELinux boolean logging_syslogd_run_nagios_plugins is disabled. If this setting is enabled, it should be disabled. To disable the logging_syslogd_run_nagios_plugins SELinux boolean, run the following command:

$ sudo setsebool -P logging_syslogd_run_nagios_plugins off

Rationale

Enable the logging_syslogd_use_tty SELinux Boolean

sebool_logging_syslogd_use_tty

Description

By default, the SELinux boolean logging_syslogd_use_tty is enabled. If this setting is disabled, it should be enabled as it allows syslog the ability to read/write to terminal. To enable the logging_syslogd_use_tty SELinux boolean, run the following command:

$ sudo setsebool -P logging_syslogd_use_tty on

Rationale

Enable the login_console_enabled SELinux Boolean

sebool_login_console_enabled

Description

By default, the SELinux boolean login_console_enabled is enabled. If this setting is disabled, it should be enabled as it allows login from /dev/console to a console session. To enable the login_console_enabled SELinux boolean, run the following command:

$ sudo setsebool -P login_console_enabled on

Rationale

Disable the logrotate_use_nfs SELinux Boolean

sebool_logrotate_use_nfs

Description

By default, the SELinux boolean logrotate_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the logrotate_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P logrotate_use_nfs off

Rationale

Disable the logwatch_can_network_connect_mail SELinux Boolean

sebool_logwatch_can_network_connect_mail

Description

By default, the SELinux boolean logwatch_can_network_connect_mail is disabled. If this setting is enabled, it should be disabled. To disable the logwatch_can_network_connect_mail SELinux boolean, run the following command:

$ sudo setsebool -P logwatch_can_network_connect_mail off

Rationale

Disable the lsmd_plugin_connect_any SELinux Boolean

sebool_lsmd_plugin_connect_any

Description

By default, the SELinux boolean lsmd_plugin_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the lsmd_plugin_connect_any SELinux boolean, run the following command:

$ sudo setsebool -P lsmd_plugin_connect_any off

Rationale

Disable the mailman_use_fusefs SELinux Boolean

sebool_mailman_use_fusefs

Description

By default, the SELinux boolean mailman_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the mailman_use_fusefs SELinux boolean, run the following command:

$ sudo setsebool -P mailman_use_fusefs off

Rationale

Disable the mcelog_client SELinux Boolean

sebool_mcelog_client

Description

By default, the SELinux boolean mcelog_client is disabled. If this setting is enabled, it should be disabled. To disable the mcelog_client SELinux boolean, run the following command:

$ sudo setsebool -P mcelog_client off

Rationale

Enable the mcelog_exec_scripts SELinux Boolean

sebool_mcelog_exec_scripts

Description

By default, the SELinux boolean mcelog_exec_scripts is enabled. If this setting is disabled, it should be enabled. To enable the mcelog_exec_scripts SELinux boolean, run the following command:

$ sudo setsebool -P mcelog_exec_scripts on

Rationale

Disable the mcelog_foreground SELinux Boolean

sebool_mcelog_foreground

Description

By default, the SELinux boolean mcelog_foreground is disabled. If this setting is enabled, it should be disabled. To disable the mcelog_foreground SELinux boolean, run the following command:

$ sudo setsebool -P mcelog_foreground off

Rationale

Disable the mcelog_server SELinux Boolean

sebool_mcelog_server

Description

By default, the SELinux boolean mcelog_server is disabled. If this setting is enabled, it should be disabled. To disable the mcelog_server SELinux boolean, run the following command:

$ sudo setsebool -P mcelog_server off

Rationale

Disable the minidlna_read_generic_user_content SELinux Boolean

sebool_minidlna_read_generic_user_content

Description

By default, the SELinux boolean minidlna_read_generic_user_content is disabled. If this setting is enabled, it should be disabled. To disable the minidlna_read_generic_user_content SELinux boolean, run the following command:

$ sudo setsebool -P minidlna_read_generic_user_content off

Rationale

Disable the mmap_low_allowed SELinux Boolean

sebool_mmap_low_allowed

Description

By default, the SELinux boolean mmap_low_allowed is disabled. If this setting is enabled, it should be disabled. To disable the mmap_low_allowed SELinux boolean, run the following command:

$ sudo setsebool -P mmap_low_allowed off

Rationale

Disable the mock_enable_homedirs SELinux Boolean

sebool_mock_enable_homedirs

Description

By default, the SELinux boolean mock_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the mock_enable_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P mock_enable_homedirs off

Rationale

Enable the mount_anyfile SELinux Boolean

sebool_mount_anyfile

Description

By default, the SELinux boolean mount_anyfile is enabled. If this setting is disabled, it should be enabled to allow any file or directory to be mounted. To enable the mount_anyfile SELinux boolean, run the following command:

$ sudo setsebool -P mount_anyfile on

Rationale

Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean

sebool_mozilla_plugin_bind_unreserved_ports

Description

By default, the SELinux boolean mozilla_plugin_bind_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_bind_unreserved_ports SELinux boolean, run the following command:

$ sudo setsebool -P mozilla_plugin_bind_unreserved_ports off

Rationale

Disable the mozilla_plugin_can_network_connect SELinux Boolean

sebool_mozilla_plugin_can_network_connect

Description

By default, the SELinux boolean mozilla_plugin_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_can_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P mozilla_plugin_can_network_connect off

Rationale

Disable the mozilla_plugin_use_bluejeans SELinux Boolean

sebool_mozilla_plugin_use_bluejeans

Description

By default, the SELinux boolean mozilla_plugin_use_bluejeans is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_bluejeans SELinux boolean, run the following command:

$ sudo setsebool -P mozilla_plugin_use_bluejeans off

Rationale

Disable the mozilla_plugin_use_gps SELinux Boolean

sebool_mozilla_plugin_use_gps

Description

By default, the SELinux boolean mozilla_plugin_use_gps is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_gps SELinux boolean, run the following command:

$ sudo setsebool -P mozilla_plugin_use_gps off

Rationale

Disable the mozilla_plugin_use_spice SELinux Boolean

sebool_mozilla_plugin_use_spice

Description

By default, the SELinux boolean mozilla_plugin_use_spice is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_spice SELinux boolean, run the following command:

$ sudo setsebool -P mozilla_plugin_use_spice off

Rationale

Disable the mozilla_read_content SELinux Boolean

sebool_mozilla_read_content

Description

By default, the SELinux boolean mozilla_read_content is disabled. If this setting is enabled, it should be disabled. To disable the mozilla_read_content SELinux boolean, run the following command:

$ sudo setsebool -P mozilla_read_content off

Rationale

Disable the mpd_enable_homedirs SELinux Boolean

sebool_mpd_enable_homedirs

Description

By default, the SELinux boolean mpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the mpd_enable_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P mpd_enable_homedirs off

Rationale

Disable the mpd_use_cifs SELinux Boolean

sebool_mpd_use_cifs

Description

By default, the SELinux boolean mpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the mpd_use_cifs SELinux boolean, run the following command:

$ sudo setsebool -P mpd_use_cifs off

Rationale

Disable the mpd_use_nfs SELinux Boolean

sebool_mpd_use_nfs

Description

By default, the SELinux boolean mpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the mpd_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P mpd_use_nfs off

Rationale

Disable the mplayer_execstack SELinux Boolean

sebool_mplayer_execstack

Description

By default, the SELinux boolean mplayer_execstack is disabled. If this setting is enabled, it should be disabled. To disable the mplayer_execstack SELinux boolean, run the following command:

$ sudo setsebool -P mplayer_execstack off

Rationale

Disable the mysql_connect_any SELinux Boolean

sebool_mysql_connect_any

Description

By default, the SELinux boolean mysql_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the mysql_connect_any SELinux boolean, run the following command:

$ sudo setsebool -P mysql_connect_any off

Rationale

Disable the nagios_run_pnp4nagios SELinux Boolean

sebool_nagios_run_pnp4nagios

Description

By default, the SELinux boolean nagios_run_pnp4nagios is disabled. If this setting is enabled, it should be disabled. To disable the nagios_run_pnp4nagios SELinux boolean, run the following command:

$ sudo setsebool -P nagios_run_pnp4nagios off

Rationale

Disable the nagios_run_sudo SELinux Boolean

sebool_nagios_run_sudo

Description

By default, the SELinux boolean nagios_run_sudo is disabled. If this setting is enabled, it should be disabled. To disable the nagios_run_sudo SELinux boolean, run the following command:

$ sudo setsebool -P nagios_run_sudo off

Rationale

Disable the named_tcp_bind_http_port SELinux Boolean

sebool_named_tcp_bind_http_port

Description

By default, the SELinux boolean named_tcp_bind_http_port is disabled. If this setting is enabled, it should be disabled. To disable the named_tcp_bind_http_port SELinux boolean, run the following command:

$ sudo setsebool -P named_tcp_bind_http_port off

Rationale

Disable the named_write_master_zones SELinux Boolean

sebool_named_write_master_zones

Description

By default, the SELinux boolean named_write_master_zones is disabled. If this setting is enabled, it should be disabled. To disable the named_write_master_zones SELinux boolean, run the following command:

$ sudo setsebool -P named_write_master_zones off

Rationale

Disable the neutron_can_network SELinux Boolean

sebool_neutron_can_network

Description

By default, the SELinux boolean neutron_can_network is disabled. If this setting is enabled, it should be disabled. To disable the neutron_can_network SELinux boolean, run the following command:

$ sudo setsebool -P neutron_can_network off

Rationale

Enable the nfs_export_all_ro SELinux Boolean

sebool_nfs_export_all_ro

Description

By default, the SELinux boolean nfs_export_all_ro is enabled. If this setting is disabled, it should be enabled as it allows NFS to export read-only mounts. To enable the nfs_export_all_ro SELinux boolean, run the following command:

$ sudo setsebool -P nfs_export_all_ro on

Rationale

Enable the nfs_export_all_rw SELinux Boolean

sebool_nfs_export_all_rw

Description

By default, the SELinux boolean nfs_export_all_rw is enabled. If this setting is disabled, it should be enabled as it allows NFS to export read/write mounts. To enable the nfs_export_all_rw SELinux boolean, run the following command:

$ sudo setsebool -P nfs_export_all_rw on

Rationale

Disable the nfsd_anon_write SELinux Boolean

sebool_nfsd_anon_write

Description

By default, the SELinux boolean nfsd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the nfsd_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P nfsd_anon_write off

Rationale

Disable the nis_enabled SELinux Boolean

sebool_nis_enabled

Description

By default, the SELinux boolean nis_enabled is disabled. If this setting is enabled, it should be disabled. To disable the nis_enabled SELinux boolean, run the following command:

$ sudo setsebool -P nis_enabled off

Rationale

Enable the nscd_use_shm SELinux Boolean

sebool_nscd_use_shm

Description

By default, the SELinux boolean nscd_use_shm is enabled. If this setting is disabled, it should be enabled to allow nscd to use shared memory. To enable the nscd_use_shm SELinux boolean, run the following command:

$ sudo setsebool -P nscd_use_shm on

Rationale

Disable the openshift_use_nfs SELinux Boolean

sebool_openshift_use_nfs

Description

By default, the SELinux boolean openshift_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the openshift_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P openshift_use_nfs off

Rationale

Disable the openvpn_can_network_connect SELinux Boolean

sebool_openvpn_can_network_connect

Description

By default, the SELinux boolean openvpn_can_network_connect is enabled. This setting should be disabled. To disable the openvpn_can_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P openvpn_can_network_connect off

Rationale

Disable the openvpn_enable_homedirs SELinux Boolean

sebool_openvpn_enable_homedirs

Description

By default, the SELinux boolean openvpn_enable_homedirs is enabled. This setting should be disabled. To disable the openvpn_enable_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P openvpn_enable_homedirs off

Rationale

Disable the openvpn_run_unconfined SELinux Boolean

sebool_openvpn_run_unconfined

Description

By default, the SELinux boolean openvpn_run_unconfined is disabled. If this setting is enabled, it should be disabled. To disable the openvpn_run_unconfined SELinux boolean, run the following command:

$ sudo setsebool -P openvpn_run_unconfined off

Rationale

Disable the pcp_bind_all_unreserved_ports SELinux Boolean

sebool_pcp_bind_all_unreserved_ports

Description

By default, the SELinux boolean pcp_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the pcp_bind_all_unreserved_ports SELinux boolean, run the following command:

$ sudo setsebool -P pcp_bind_all_unreserved_ports off

Rationale

Disable the pcp_read_generic_logs SELinux Boolean

sebool_pcp_read_generic_logs

Description

By default, the SELinux boolean pcp_read_generic_logs is disabled. If this setting is enabled, it should be disabled. To disable the pcp_read_generic_logs SELinux boolean, run the following command:

$ sudo setsebool -P pcp_read_generic_logs off

Rationale

Disable the piranha_lvs_can_network_connect SELinux Boolean

sebool_piranha_lvs_can_network_connect

Description

By default, the SELinux boolean piranha_lvs_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the piranha_lvs_can_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P piranha_lvs_can_network_connect off

Rationale

Disable the polipo_connect_all_unreserved SELinux Boolean

sebool_polipo_connect_all_unreserved

Description

By default, the SELinux boolean polipo_connect_all_unreserved is disabled. If this setting is enabled, it should be disabled. To disable the polipo_connect_all_unreserved SELinux boolean, run the following command:

$ sudo setsebool -P polipo_connect_all_unreserved off

Rationale

Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean

sebool_polipo_session_bind_all_unreserved_ports

Description

By default, the SELinux boolean polipo_session_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the polipo_session_bind_all_unreserved_ports SELinux boolean, run the following command:

$ sudo setsebool -P polipo_session_bind_all_unreserved_ports off

Rationale

Disable the polipo_session_users SELinux Boolean

sebool_polipo_session_users

Description

By default, the SELinux boolean polipo_session_users is disabled. If this setting is enabled, it should be disabled. To disable the polipo_session_users SELinux boolean, run the following command:

$ sudo setsebool -P polipo_session_users off

Rationale

Disable the polipo_use_cifs SELinux Boolean

sebool_polipo_use_cifs

Description

By default, the SELinux boolean polipo_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the polipo_use_cifs SELinux boolean, run the following command:

$ sudo setsebool -P polipo_use_cifs off

Rationale

Disable the polipo_use_nfs SELinux Boolean

sebool_polipo_use_nfs

Description

By default, the SELinux boolean polipo_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the polipo_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P polipo_use_nfs off

Rationale

Configure the polyinstantiation_enabled SELinux Boolean

sebool_polyinstantiation_enabled

Description

By default, the SELinux boolean polyinstantiation_enabled is disabled. This setting should be configured to $var_polyinstantiation_enabled.
To set the polyinstantiation_enabled SELinux boolean, run the following command:

$ sudo setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled

Rationale

Enable the postfix_local_write_mail_spool SELinux Boolean

sebool_postfix_local_write_mail_spool

Description

By default, the SELinux boolean postfix_local_write_mail_spool is enabled. If this setting is disabled, it should be enabled as it allows Postfix to write to the mail spool directories. To enable the postfix_local_write_mail_spool SELinux boolean, run the following command:

$ sudo setsebool -P postfix_local_write_mail_spool on

Rationale

Disable the postgresql_can_rsync SELinux Boolean

sebool_postgresql_can_rsync

Description

By default, the SELinux boolean postgresql_can_rsync is disabled. If this setting is enabled, it should be disabled. To disable the postgresql_can_rsync SELinux boolean, run the following command:

$ sudo setsebool -P postgresql_can_rsync off

Rationale

Disable the postgresql_selinux_transmit_client_label SELinux Boolean

sebool_postgresql_selinux_transmit_client_label

Description

By default, the SELinux boolean postgresql_selinux_transmit_client_label is disabled. If this setting is enabled, it should be disabled. To disable the postgresql_selinux_transmit_client_label SELinux boolean, run the following command:

$ sudo setsebool -P postgresql_selinux_transmit_client_label off

Rationale

Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean

sebool_postgresql_selinux_unconfined_dbadm

Description

By default, the SELinux boolean postgresql_selinux_unconfined_dbadm is enabled. If this setting is disabled, it should be enabled as it allows Database Administrators to execute Data Manipulation Language (DML) statements. To enable the postgresql_selinux_unconfined_dbadm SELinux boolean, run the following command:

$ sudo setsebool -P postgresql_selinux_unconfined_dbadm on

Rationale

Enable the postgresql_selinux_users_ddl SELinux Boolean

sebool_postgresql_selinux_users_ddl

Description

By default, the SELinux boolean postgresql_selinux_users_ddl is enabled. If this setting is disabled, it should be enabled as it allows Database Administrators to execute Data Definition Language (DDL) statements. To enable the postgresql_selinux_users_ddl SELinux boolean, run the following command:

$ sudo setsebool -P postgresql_selinux_users_ddl on

Rationale

Disable the pppd_can_insmod SELinux Boolean

sebool_pppd_can_insmod

Description

By default, the SELinux boolean pppd_can_insmod is disabled. If this setting is enabled, it should be disabled. To disable the pppd_can_insmod SELinux boolean, run the following command:

$ sudo setsebool -P pppd_can_insmod off

Rationale

Disable the pppd_for_user SELinux Boolean

sebool_pppd_for_user

Description

By default, the SELinux boolean pppd_for_user is disabled. If this setting is enabled, it should be disabled. To disable the pppd_for_user SELinux boolean, run the following command:

$ sudo setsebool -P pppd_for_user off

Rationale

Disable the privoxy_connect_any SELinux Boolean

sebool_privoxy_connect_any

Description

By default, the SELinux boolean privoxy_connect_any is enabled. This setting should be disabled. To disable the privoxy_connect_any SELinux boolean, run the following command:

$ sudo setsebool -P privoxy_connect_any off

Rationale

Disable the prosody_bind_http_port SELinux Boolean

sebool_prosody_bind_http_port

Description

By default, the SELinux boolean prosody_bind_http_port is disabled. If this setting is enabled, it should be disabled. To disable the prosody_bind_http_port SELinux boolean, run the following command:

$ sudo setsebool -P prosody_bind_http_port off

Rationale

Disable the puppetagent_manage_all_files SELinux Boolean

sebool_puppetagent_manage_all_files

Description

By default, the SELinux boolean puppetagent_manage_all_files is disabled. If this setting is enabled, it should be disabled. To disable the puppetagent_manage_all_files SELinux boolean, run the following command:

$ sudo setsebool -P puppetagent_manage_all_files off

Rationale

Disable the puppetmaster_use_db SELinux Boolean

sebool_puppetmaster_use_db

Description

By default, the SELinux boolean puppetmaster_use_db is disabled. If this setting is enabled, it should be disabled. To disable the puppetmaster_use_db SELinux boolean, run the following command:

$ sudo setsebool -P puppetmaster_use_db off

Rationale

Disable the racoon_read_shadow SELinux Boolean

sebool_racoon_read_shadow

Description

By default, the SELinux boolean racoon_read_shadow is disabled. If this setting is enabled, it should be disabled. To disable the racoon_read_shadow SELinux boolean, run the following command:

$ sudo setsebool -P racoon_read_shadow off

Rationale

Disable the rsync_anon_write SELinux Boolean

sebool_rsync_anon_write

Description

By default, the SELinux boolean rsync_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the rsync_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P rsync_anon_write off

Rationale

Disable the rsync_client SELinux Boolean

sebool_rsync_client

Description

By default, the SELinux boolean rsync_client is disabled. If this setting is enabled, it should be disabled. To disable the rsync_client SELinux boolean, run the following command:

$ sudo setsebool -P rsync_client off

Rationale

Disable the rsync_export_all_ro SELinux Boolean

sebool_rsync_export_all_ro

Description

By default, the SELinux boolean rsync_export_all_ro is disabled. If this setting is enabled, it should be disabled. To disable the rsync_export_all_ro SELinux boolean, run the following command:

$ sudo setsebool -P rsync_export_all_ro off

Rationale

Disable the rsync_full_access SELinux Boolean

sebool_rsync_full_access

Description

By default, the SELinux boolean rsync_full_access is disabled. If this setting is enabled, it should be disabled. To disable the rsync_full_access SELinux boolean, run the following command:

$ sudo setsebool -P rsync_full_access off

Rationale

Disable the samba_create_home_dirs SELinux Boolean

sebool_samba_create_home_dirs

Description

By default, the SELinux boolean samba_create_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the samba_create_home_dirs SELinux boolean, run the following command:

$ sudo setsebool -P samba_create_home_dirs off

Rationale

Disable the samba_domain_controller SELinux Boolean

sebool_samba_domain_controller

Description

By default, the SELinux boolean samba_domain_controller is disabled. If this setting is enabled, it should be disabled. To disable the samba_domain_controller SELinux boolean, run the following command:

$ sudo setsebool -P samba_domain_controller off

Rationale

Disable the samba_enable_home_dirs SELinux Boolean

sebool_samba_enable_home_dirs

Description

By default, the SELinux boolean samba_enable_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the samba_enable_home_dirs SELinux boolean, run the following command:

$ sudo setsebool -P samba_enable_home_dirs off

Rationale

Disable the samba_export_all_ro SELinux Boolean

sebool_samba_export_all_ro

Description

By default, the SELinux boolean samba_export_all_ro is disabled. If this setting is enabled, it should be disabled. To disable the samba_export_all_ro SELinux boolean, run the following command:

$ sudo setsebool -P samba_export_all_ro off

Rationale

Disable the samba_export_all_rw SELinux Boolean

sebool_samba_export_all_rw

Description

By default, the SELinux boolean samba_export_all_rw is disabled. If this setting is enabled, it should be disabled. To disable the samba_export_all_rw SELinux boolean, run the following command:

$ sudo setsebool -P samba_export_all_rw off

Rationale

Disable the samba_load_libgfapi SELinux Boolean

sebool_samba_load_libgfapi

Description

By default, the SELinux boolean samba_load_libgfapi is disabled. If this setting is enabled, it should be disabled. To disable the samba_load_libgfapi SELinux boolean, run the following command:

$ sudo setsebool -P samba_load_libgfapi off

Rationale

Disable the samba_portmapper SELinux Boolean

sebool_samba_portmapper

Description

By default, the SELinux boolean samba_portmapper is disabled. If this setting is enabled, it should be disabled. To disable the samba_portmapper SELinux boolean, run the following command:

$ sudo setsebool -P samba_portmapper off

Rationale

Disable the samba_run_unconfined SELinux Boolean

sebool_samba_run_unconfined

Description

By default, the SELinux boolean samba_run_unconfined is disabled. If this setting is enabled, it should be disabled. To disable the samba_run_unconfined SELinux boolean, run the following command:

$ sudo setsebool -P samba_run_unconfined off

Rationale

Disable the samba_share_fusefs SELinux Boolean

sebool_samba_share_fusefs

Description

By default, the SELinux boolean samba_share_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the samba_share_fusefs SELinux boolean, run the following command:

$ sudo setsebool -P samba_share_fusefs off

Rationale

Disable the samba_share_nfs SELinux Boolean

sebool_samba_share_nfs

Description

By default, the SELinux boolean samba_share_nfs is disabled. If this setting is enabled, it should be disabled. To disable the samba_share_nfs SELinux boolean, run the following command:

$ sudo setsebool -P samba_share_nfs off

Rationale

Disable the sanlock_use_fusefs SELinux Boolean

sebool_sanlock_use_fusefs

Description

By default, the SELinux boolean sanlock_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the sanlock_use_fusefs SELinux boolean, run the following command:

$ sudo setsebool -P sanlock_use_fusefs off

Rationale

Disable the sanlock_use_nfs SELinux Boolean

sebool_sanlock_use_nfs

Description

By default, the SELinux boolean sanlock_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the sanlock_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P sanlock_use_nfs off

Rationale

Disable the sanlock_use_samba SELinux Boolean

sebool_sanlock_use_samba

Description

By default, the SELinux boolean sanlock_use_samba is disabled. If this setting is enabled, it should be disabled. To disable the sanlock_use_samba SELinux boolean, run the following command:

$ sudo setsebool -P sanlock_use_samba off

Rationale

Disable the saslauthd_read_shadow SELinux Boolean

sebool_saslauthd_read_shadow

Description

By default, the SELinux boolean saslauthd_read_shadow is disabled. If this setting is enabled, it should be disabled. To disable the saslauthd_read_shadow SELinux boolean, run the following command:

$ sudo setsebool -P saslauthd_read_shadow off

Rationale

Enable the secadm_exec_content SELinux Boolean

sebool_secadm_exec_content

Description

By default, the SELinux boolean secadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the secadm_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P secadm_exec_content on

Rationale

Disable the secure_mode SELinux Boolean

sebool_secure_mode

Description

By default, the SELinux boolean secure_mode is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode SELinux boolean, run the following command:

$ sudo setsebool -P secure_mode off

Rationale

Configure the secure_mode_insmod SELinux Boolean

sebool_secure_mode_insmod

Description

By default, the SELinux boolean secure_mode_insmod is disabled. This setting should be configured to $var_secure_mode_insmod.
To set the secure_mode_insmod SELinux boolean, run the following command:

$ sudo setsebool -P secure_mode_insmod $var_secure_mode_insmod

Rationale

Disable the secure_mode_policyload SELinux Boolean

sebool_secure_mode_policyload

Description

By default, the SELinux boolean secure_mode_policyload is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_policyload SELinux boolean, run the following command:

$ sudo setsebool -P secure_mode_policyload off

Rationale

Configure the selinuxuser_direct_dri_enabled SELinux Boolean

sebool_selinuxuser_direct_dri_enabled

Description

By default, the SELinux boolean selinuxuser_direct_dri_enabled is enabled. If XWindows is not installed or used on the system, this setting should be disabled. Otherwise, enable it. To disable the selinuxuser_direct_dri_enabled SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_direct_dri_enabled off

Rationale

Disable the selinuxuser_execheap SELinux Boolean

sebool_selinuxuser_execheap

Description

By default, the SELinux boolean selinuxuser_execheap is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled, it should be disabled. To disable the selinuxuser_execheap SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_execheap off

Rationale

Disabling code execution from the heap blocks buffer overflow attacks.

Enable the selinuxuser_execmod SELinux Boolean

sebool_selinuxuser_execmod

Description

By default, the SELinux boolean selinuxuser_execmod is enabled. If this setting is disabled, it should be enabled. To enable the selinuxuser_execmod SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_execmod on

Rationale

Disable the selinuxuser_execstack SELinux Boolean

sebool_selinuxuser_execstack

Description

By default, the SELinux boolean selinuxuser_execstack is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disable the selinuxuser_execstack SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_execstack off

Rationale

Disabling code execution from the stack blocks buffer overflow attacks.

Disable the selinuxuser_mysql_connect_enabled SELinux Boolean

sebool_selinuxuser_mysql_connect_enabled

Description

By default, the SELinux boolean selinuxuser_mysql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_mysql_connect_enabled SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_mysql_connect_enabled off

Rationale

Enable the selinuxuser_ping SELinux Boolean

sebool_selinuxuser_ping

Description

By default, the SELinux boolean selinuxuser_ping is enabled. If this setting is disabled, it should be enabled as it allows confined users to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_ping on

Rationale

Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean

sebool_selinuxuser_postgresql_connect_enabled

Description

By default, the SELinux boolean selinuxuser_postgresql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_postgresql_connect_enabled SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_postgresql_connect_enabled off

Rationale

Disable the selinuxuser_rw_noexattrfile SELinux Boolean

sebool_selinuxuser_rw_noexattrfile

Description

By default, the SELinux boolean selinuxuser_rw_noexattrfile is enabled. This setting should be disabled as users should not be able to read/write files on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc. To disable the selinuxuser_rw_noexattrfile SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_rw_noexattrfile off

Rationale

Disable the selinuxuser_share_music SELinux Boolean

sebool_selinuxuser_share_music

Description

By default, the SELinux boolean selinuxuser_share_music is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_share_music SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_share_music off

Rationale

Disable the selinuxuser_tcp_server SELinux Boolean

sebool_selinuxuser_tcp_server

Description

By default, the SELinux boolean selinuxuser_tcp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_tcp_server SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_tcp_server off

Rationale

Disable the selinuxuser_udp_server SELinux Boolean

sebool_selinuxuser_udp_server

Description

By default, the SELinux boolean selinuxuser_udp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_udp_server SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_udp_server off

Rationale

Disable the selinuxuser_use_ssh_chroot SELinux Boolean

sebool_selinuxuser_use_ssh_chroot

Description

By default, the SELinux boolean selinuxuser_use_ssh_chroot is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_use_ssh_chroot off

Rationale

Disable the sge_domain_can_network_connect SELinux Boolean

sebool_sge_domain_can_network_connect

Description

By default, the SELinux boolean sge_domain_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the sge_domain_can_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P sge_domain_can_network_connect off

Rationale

Disable the sge_use_nfs SELinux Boolean

sebool_sge_use_nfs

Description

By default, the SELinux boolean sge_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the sge_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P sge_use_nfs off

Rationale

Disable the smartmon_3ware SELinux Boolean

sebool_smartmon_3ware

Description

By default, the SELinux boolean smartmon_3ware is disabled. If this setting is enabled, it should be disabled. To disable the smartmon_3ware SELinux boolean, run the following command:

$ sudo setsebool -P smartmon_3ware off

Rationale

Disable the smbd_anon_write SELinux Boolean

sebool_smbd_anon_write

Description

By default, the SELinux boolean smbd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the smbd_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P smbd_anon_write off

Rationale

Disable the spamassassin_can_network SELinux Boolean

sebool_spamassassin_can_network

Description

By default, the SELinux boolean spamassassin_can_network is disabled. If this setting is enabled, it should be disabled. To disable the spamassassin_can_network SELinux boolean, run the following command:

$ sudo setsebool -P spamassassin_can_network off

Rationale

Enable the spamd_enable_home_dirs SELinux Boolean

sebool_spamd_enable_home_dirs

Description

By default, the SELinux boolean spamd_enable_home_dirs is enabled. If this setting is disabled, it should be enabled. To enable the spamd_enable_home_dirs SELinux boolean, run the following command:

$ sudo setsebool -P spamd_enable_home_dirs on

Rationale

Disable the squid_connect_any SELinux Boolean

sebool_squid_connect_any

Description

By default, the SELinux boolean squid_connect_any is enabled. This setting should be disabled as squid should only connect on specified ports. To disable the squid_connect_any SELinux boolean, run the following command:

$ sudo setsebool -P squid_connect_any off

Rationale

Disable the squid_use_tproxy SELinux Boolean

sebool_squid_use_tproxy

Description

By default, the SELinux boolean squid_use_tproxy is disabled. If this setting is enabled, it should be disabled. To disable the squid_use_tproxy SELinux boolean, run the following command:

$ sudo setsebool -P squid_use_tproxy off

Rationale

Disable the ssh_chroot_rw_homedirs SELinux Boolean

sebool_ssh_chroot_rw_homedirs

Description

By default, the SELinux boolean ssh_chroot_rw_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the ssh_chroot_rw_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P ssh_chroot_rw_homedirs off

Rationale

Disable the ssh_keysign SELinux Boolean

sebool_ssh_keysign

Description

By default, the SELinux boolean ssh_keysign is disabled. If this setting is enabled, it should be disabled. To disable the ssh_keysign SELinux boolean, run the following command:

$ sudo setsebool -P ssh_keysign off

Rationale

Disable the ssh_sysadm_login SELinux Boolean

sebool_ssh_sysadm_login

Description

By default, the SELinux boolean ssh_sysadm_login is disabled. If this setting is enabled, it should be disabled. To disable the ssh_sysadm_login SELinux boolean, run the following command:

$ sudo setsebool -P ssh_sysadm_login off

Rationale

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

Enable the staff_exec_content SELinux Boolean

sebool_staff_exec_content

Description

By default, the SELinux boolean staff_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the staff_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P staff_exec_content on

Rationale

Disable the staff_use_svirt SELinux Boolean

sebool_staff_use_svirt

Description

By default, the SELinux boolean staff_use_svirt is disabled. If this setting is enabled, it should be disabled. To disable the staff_use_svirt SELinux boolean, run the following command:

$ sudo setsebool -P staff_use_svirt off

Rationale

Disable the swift_can_network SELinux Boolean

sebool_swift_can_network

Description

By default, the SELinux boolean swift_can_network is disabled. If this setting is enabled, it should be disabled. To disable the swift_can_network SELinux boolean, run the following command:

$ sudo setsebool -P swift_can_network off

Rationale

Enable the sysadm_exec_content SELinux Boolean

sebool_sysadm_exec_content

Description

By default, the SELinux boolean sysadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the sysadm_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P sysadm_exec_content on

Rationale

Disable the telepathy_connect_all_ports SELinux Boolean

sebool_telepathy_connect_all_ports

Description

By default, the SELinux boolean telepathy_connect_all_ports is disabled. If this setting is enabled, it should be disabled. To disable the telepathy_connect_all_ports SELinux boolean, run the following command:

$ sudo setsebool -P telepathy_connect_all_ports off

Rationale

Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean

sebool_telepathy_tcp_connect_generic_network_ports

Description

By default, the SELinux boolean telepathy_tcp_connect_generic_network_ports is enabled. This setting should be disabled as telepathy should not connect to any generic network ports. To disable the telepathy_tcp_connect_generic_network_ports SELinux boolean, run the following command:

$ sudo setsebool -P telepathy_tcp_connect_generic_network_ports off

Rationale

Disable the tftp_anon_write SELinux Boolean

sebool_tftp_anon_write

Description

By default, the SELinux boolean tftp_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the tftp_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P tftp_anon_write off

Rationale

Disable the tftp_home_dir SELinux Boolean

sebool_tftp_home_dir

Description

By default, the SELinux boolean tftp_home_dir is disabled. If this setting is enabled, it should be disabled. To disable the tftp_home_dir SELinux boolean, run the following command:

$ sudo setsebool -P tftp_home_dir off

Rationale

Disable the tmpreaper_use_nfs SELinux Boolean

sebool_tmpreaper_use_nfs

Description

By default, the SELinux boolean tmpreaper_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the tmpreaper_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P tmpreaper_use_nfs off

Rationale

Disable the tmpreaper_use_samba SELinux Boolean

sebool_tmpreaper_use_samba

Description

By default, the SELinux boolean tmpreaper_use_samba is disabled. If this setting is enabled, it should be disabled. To disable the tmpreaper_use_samba SELinux boolean, run the following command:

$ sudo setsebool -P tmpreaper_use_samba off

Rationale

Disable the tor_bind_all_unreserved_ports SELinux Boolean

sebool_tor_bind_all_unreserved_ports

Description

By default, the SELinux boolean tor_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. To disable the tor_bind_all_unreserved_ports SELinux boolean, run the following command:

$ sudo setsebool -P tor_bind_all_unreserved_ports off

Rationale

Disable the tor_can_network_relay SELinux Boolean

sebool_tor_can_network_relay

Description

By default, the SELinux boolean tor_can_network_relay is disabled. If this setting is enabled, it should be disabled. To disable the tor_can_network_relay SELinux boolean, run the following command:

$ sudo setsebool -P tor_can_network_relay off

Rationale

Enable the unconfined_chrome_sandbox_transition SELinux Boolean

sebool_unconfined_chrome_sandbox_transition

Description

By default, the SELinux boolean unconfined_chrome_sandbox_transition is enabled. If this setting is disabled, it should be enabled. To enable the unconfined_chrome_sandbox_transition SELinux boolean, run the following command:

$ sudo setsebool -P unconfined_chrome_sandbox_transition on

Rationale

Enable the unconfined_login SELinux Boolean

sebool_unconfined_login

Description

By default, the SELinux boolean unconfined_login is enabled. If this setting is disabled, it should be enabled. To enable the unconfined_login SELinux boolean, run the following command:

$ sudo setsebool -P unconfined_login on

Rationale

Enable the unconfined_mozilla_plugin_transition SELinux Boolean

sebool_unconfined_mozilla_plugin_transition

Description

By default, the SELinux boolean unconfined_mozilla_plugin_transition is enabled. If this setting is disabled, it should be enabled. To enable the unconfined_mozilla_plugin_transition SELinux boolean, run the following command:

$ sudo setsebool -P unconfined_mozilla_plugin_transition on

Rationale

Disable the unprivuser_use_svirt SELinux Boolean

sebool_unprivuser_use_svirt

Description

By default, the SELinux boolean unprivuser_use_svirt is disabled. If this setting is enabled, it should be disabled. To disable the unprivuser_use_svirt SELinux boolean, run the following command:

$ sudo setsebool -P unprivuser_use_svirt off

Rationale

Disable the use_ecryptfs_home_dirs SELinux Boolean

sebool_use_ecryptfs_home_dirs

Description

By default, the SELinux boolean use_ecryptfs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_ecryptfs_home_dirs SELinux boolean, run the following command:

$ sudo setsebool -P use_ecryptfs_home_dirs off

Rationale

Disable the use_fusefs_home_dirs SELinux Boolean

sebool_use_fusefs_home_dirs

Description

By default, the SELinux boolean use_fusefs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_fusefs_home_dirs SELinux boolean, run the following command:

$ sudo setsebool -P use_fusefs_home_dirs off

Rationale

Disable the use_lpd_server SELinux Boolean

sebool_use_lpd_server

Description

By default, the SELinux boolean use_lpd_server is disabled. If this setting is enabled, it should be disabled. To disable the use_lpd_server SELinux boolean, run the following command:

$ sudo setsebool -P use_lpd_server off

Rationale

Disable the use_nfs_home_dirs SELinux Boolean

sebool_use_nfs_home_dirs

Description

By default, the SELinux boolean use_nfs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_nfs_home_dirs SELinux boolean, run the following command:

$ sudo setsebool -P use_nfs_home_dirs off

Rationale

Disable the use_samba_home_dirs SELinux Boolean

sebool_use_samba_home_dirs

Description

By default, the SELinux boolean use_samba_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_samba_home_dirs SELinux boolean, run the following command:

$ sudo setsebool -P use_samba_home_dirs off

Rationale

Enable the user_exec_content SELinux Boolean

sebool_user_exec_content

Description

By default, the SELinux boolean user_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the user_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P user_exec_content on

Rationale

Disable the varnishd_connect_any SELinux Boolean

sebool_varnishd_connect_any

Description

By default, the SELinux boolean varnishd_connect_any is disabled. If this setting is enabled, it should be disabled. To disable the varnishd_connect_any SELinux boolean, run the following command:

$ sudo setsebool -P varnishd_connect_any off

Rationale

Disable the virt_read_qemu_ga_data SELinux Boolean

sebool_virt_read_qemu_ga_data

Description

By default, the SELinux boolean virt_read_qemu_ga_data is disabled. If this setting is enabled, it should be disabled. To disable the virt_read_qemu_ga_data SELinux boolean, run the following command:

$ sudo setsebool -P virt_read_qemu_ga_data off

Rationale

Disable the virt_rw_qemu_ga_data SELinux Boolean

sebool_virt_rw_qemu_ga_data

Description

By default, the SELinux boolean virt_rw_qemu_ga_data is disabled. If this setting is enabled, it should be disabled. To disable the virt_rw_qemu_ga_data SELinux boolean, run the following command:

$ sudo setsebool -P virt_rw_qemu_ga_data off

Rationale

Disable the virt_sandbox_use_all_caps SELinux Boolean

sebool_virt_sandbox_use_all_caps

Description

By default, the SELinux boolean virt_sandbox_use_all_caps is enabled. This setting is disabled as containers should not run with privileges. To disable the virt_sandbox_use_all_caps SELinux boolean, run the following command:

$ sudo setsebool -P virt_sandbox_use_all_caps off

Rationale

Enable the virt_sandbox_use_audit SELinux Boolean

sebool_virt_sandbox_use_audit

Description

By default, the SELinux boolean virt_sandbox_use_audit is enabled. If this setting is disabled, it should be enabled to allow sandboxed containers to send audit messages. To enable the virt_sandbox_use_audit SELinux boolean, run the following command:

$ sudo setsebool -P virt_sandbox_use_audit on

Rationale

Disable the virt_sandbox_use_mknod SELinux Boolean

sebool_virt_sandbox_use_mknod

Description

By default, the SELinux boolean virt_sandbox_use_mknod is disabled. If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_mknod SELinux boolean, run the following command:

$ sudo setsebool -P virt_sandbox_use_mknod off

Rationale

Disable the virt_sandbox_use_sys_admin SELinux Boolean

sebool_virt_sandbox_use_sys_admin

Description

By default, the SELinux boolean virt_sandbox_use_sys_admin is disabled. If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_sys_admin SELinux boolean, run the following command:

$ sudo setsebool -P virt_sandbox_use_sys_admin off

Rationale

Disable the virt_transition_userdomain SELinux Boolean

sebool_virt_transition_userdomain

Description

By default, the SELinux boolean virt_transition_userdomain is disabled. If this setting is enabled, it should be disabled. To disable the virt_transition_userdomain SELinux boolean, run the following command:

$ sudo setsebool -P virt_transition_userdomain off

Rationale

Disable the virt_use_comm SELinux Boolean

sebool_virt_use_comm

Description

By default, the SELinux boolean virt_use_comm is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_comm SELinux boolean, run the following command:

$ sudo setsebool -P virt_use_comm off

Rationale

Disable the virt_use_execmem SELinux Boolean

sebool_virt_use_execmem

Description

By default, the SELinux boolean virt_use_execmem is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_execmem SELinux boolean, run the following command:

$ sudo setsebool -P virt_use_execmem off

Rationale

Disable the virt_use_fusefs SELinux Boolean

sebool_virt_use_fusefs

Description

By default, the SELinux boolean virt_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_fusefs SELinux boolean, run the following command:

$ sudo setsebool -P virt_use_fusefs off

Rationale

Disable the virt_use_nfs SELinux Boolean

sebool_virt_use_nfs

Description

By default, the SELinux boolean virt_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P virt_use_nfs off

Rationale

Disable the virt_use_rawip SELinux Boolean

sebool_virt_use_rawip

Description

By default, the SELinux boolean virt_use_rawip is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_rawip SELinux boolean, run the following command:

$ sudo setsebool -P virt_use_rawip off

Rationale

Disable the virt_use_samba SELinux Boolean

sebool_virt_use_samba

Description

By default, the SELinux boolean virt_use_samba is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_samba SELinux boolean, run the following command:

$ sudo setsebool -P virt_use_samba off

Rationale

Disable the virt_use_sanlock SELinux Boolean

sebool_virt_use_sanlock

Description

By default, the SELinux boolean virt_use_sanlock is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_sanlock SELinux boolean, run the following command:

$ sudo setsebool -P virt_use_sanlock off

Rationale

Disable the virt_use_usb SELinux Boolean

sebool_virt_use_usb

Description

By default, the SELinux boolean virt_use_usb is enabled. This setting should be disabled. To disable the virt_use_usb SELinux boolean, run the following command:

$ sudo setsebool -P virt_use_usb off

Rationale

Disable the virt_use_xserver SELinux Boolean

sebool_virt_use_xserver

Description

By default, the SELinux boolean virt_use_xserver is disabled. If this setting is enabled, it should be disabled. To disable the virt_use_xserver SELinux boolean, run the following command:

$ sudo setsebool -P virt_use_xserver off

Rationale

Disable the webadm_manage_user_files SELinux Boolean

sebool_webadm_manage_user_files

Description

By default, the SELinux boolean webadm_manage_user_files is disabled. If this setting is enabled, it should be disabled. To disable the webadm_manage_user_files SELinux boolean, run the following command:

$ sudo setsebool -P webadm_manage_user_files off

Rationale

Disable the webadm_read_user_files SELinux Boolean

sebool_webadm_read_user_files

Description

By default, the SELinux boolean webadm_read_user_files is disabled. If this setting is enabled, it should be disabled. To disable the webadm_read_user_files SELinux boolean, run the following command:

$ sudo setsebool -P webadm_read_user_files off

Rationale

Disable the wine_mmap_zero_ignore SELinux Boolean

sebool_wine_mmap_zero_ignore

Description

By default, the SELinux boolean wine_mmap_zero_ignore is disabled. If this setting is enabled, it should be disabled. To disable the wine_mmap_zero_ignore SELinux boolean, run the following command:

$ sudo setsebool -P wine_mmap_zero_ignore off

Rationale

Disable the xdm_bind_vnc_tcp_port SELinux Boolean

sebool_xdm_bind_vnc_tcp_port

Description

By default, the SELinux boolean xdm_bind_vnc_tcp_port is disabled. If this setting is enabled, it should be disabled. To disable the xdm_bind_vnc_tcp_port SELinux boolean, run the following command:

$ sudo setsebool -P xdm_bind_vnc_tcp_port off

Rationale

Disable the xdm_exec_bootloader SELinux Boolean

sebool_xdm_exec_bootloader

Description

By default, the SELinux boolean xdm_exec_bootloader is disabled. If this setting is enabled, it should be disabled. To disable the xdm_exec_bootloader SELinux boolean, run the following command:

$ sudo setsebool -P xdm_exec_bootloader off

Rationale

Disable the xdm_sysadm_login SELinux Boolean

sebool_xdm_sysadm_login

Description

By default, the SELinux boolean xdm_sysadm_login is disabled. If this setting is enabled, it should be disabled. To disable the xdm_sysadm_login SELinux boolean, run the following command:

$ sudo setsebool -P xdm_sysadm_login off

Rationale

Disable the xdm_write_home SELinux Boolean

sebool_xdm_write_home

Description

By default, the SELinux boolean xdm_write_home is disabled. If this setting is enabled, it should be disabled. To disable the xdm_write_home SELinux boolean, run the following command:

$ sudo setsebool -P xdm_write_home off

Rationale

Disable the xen_use_nfs SELinux Boolean

sebool_xen_use_nfs

Description

By default, the SELinux boolean xen_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the xen_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P xen_use_nfs off

Rationale

Enable the xend_run_blktap SELinux Boolean

sebool_xend_run_blktap

Description

By default, the SELinux boolean xend_run_blktap is enabled. If this setting is disabled, it should be enabled. To enable the xend_run_blktap SELinux boolean, run the following command:

$ sudo setsebool -P xend_run_blktap on

Rationale

Enable the xend_run_qemu SELinux Boolean

sebool_xend_run_qemu

Description

By default, the SELinux boolean xend_run_qemu is enabled. If this setting is disabled, it should be enabled. To enable the xend_run_qemu SELinux boolean, run the following command:

$ sudo setsebool -P xend_run_qemu on

Rationale

Disable the xguest_connect_network SELinux Boolean

sebool_xguest_connect_network

Description

By default, the SELinux boolean xguest_connect_network is enabled. This setting should be disabled as guest users should not be able to configure NetworkManager. To disable the xguest_connect_network SELinux boolean, run the following command:

$ sudo setsebool -P xguest_connect_network off

Rationale

Disable the xguest_exec_content SELinux Boolean

sebool_xguest_exec_content

Description

By default, the SELinux boolean xguest_exec_content is enabled. This setting should be disabled as guest users should not be able to run executables. To disable the xguest_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P xguest_exec_content off

Rationale

Disable the xguest_mount_media SELinux Boolean

sebool_xguest_mount_media

Description

By default, the SELinux boolean xguest_mount_media is enabled. This setting should be disabled as guest users should not be able to mount any media. To disable the xguest_mount_media SELinux boolean, run the following command:

$ sudo setsebool -P xguest_mount_media off

Rationale

Disable the xguest_use_bluetooth SELinux Boolean

sebool_xguest_use_bluetooth

Description

By default, the SELinux boolean xguest_use_bluetooth is enabled. This setting should be disabled as guests users should not be able to access or use bluetooth. To disable the xguest_use_bluetooth SELinux boolean, run the following command:

$ sudo setsebool -P xguest_use_bluetooth off

Rationale

Disable the xserver_clients_write_xshm SELinux Boolean

sebool_xserver_clients_write_xshm

Description

By default, the SELinux boolean xserver_clients_write_xshm is disabled. If this setting is enabled, it should be disabled. To disable the xserver_clients_write_xshm SELinux boolean, run the following command:

$ sudo setsebool -P xserver_clients_write_xshm off

Rationale

Disable the xserver_execmem SELinux Boolean

sebool_xserver_execmem

Description

By default, the SELinux boolean xserver_execmem is disabled. If this setting is enabled, it should be disabled. To disable the xserver_execmem SELinux boolean, run the following command:

$ sudo setsebool -P xserver_execmem off

Rationale

Disable the xserver_object_manager SELinux Boolean

sebool_xserver_object_manager

Description

By default, the SELinux boolean xserver_object_manager is disabled. If this setting is enabled, it should be disabled. To disable the xserver_object_manager SELinux boolean, run the following command:

$ sudo setsebool -P xserver_object_manager off

Rationale

Disable the zabbix_can_network SELinux Boolean

sebool_zabbix_can_network

Description

By default, the SELinux boolean zabbix_can_network is disabled. If this setting is enabled, it should be disabled. To disable the zabbix_can_network SELinux boolean, run the following command:

$ sudo setsebool -P zabbix_can_network off

Rationale

Disable the zarafa_setrlimit SELinux Boolean

sebool_zarafa_setrlimit

Description

By default, the SELinux boolean zarafa_setrlimit is disabled. If this setting is enabled, it should be disabled. To disable the zarafa_setrlimit SELinux boolean, run the following command:

$ sudo setsebool -P zarafa_setrlimit off

Rationale

Disable the zebra_write_config SELinux Boolean

sebool_zebra_write_config

Description

By default, the SELinux boolean zebra_write_config is disabled. If this setting is enabled, it should be disabled. To disable the zebra_write_config SELinux boolean, run the following command:

$ sudo setsebool -P zebra_write_config off

Rationale

Disable the zoneminder_anon_write SELinux Boolean

sebool_zoneminder_anon_write

Description

By default, the SELinux boolean zoneminder_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the zoneminder_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P zoneminder_anon_write off

Rationale

Disable the zoneminder_run_sudo SELinux Boolean

sebool_zoneminder_run_sudo

Description

By default, the SELinux boolean zoneminder_run_sudo is disabled. If this setting is enabled, it should be disabled. To disable the zoneminder_run_sudo SELinux boolean, run the following command:

$ sudo setsebool -P zoneminder_run_sudo off

Rationale

Ensure No Device Files are Unlabeled by SELinux

selinux_all_devicefiles_labeled

Description

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type device_t or unlabeled_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.

To check for incorrectly labeled device files, run following commands:

$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.

Rationale

If a device file carries the SELinux type device_t or unlabeled_t, then SELinux cannot properly restrict access to the device file.

Confine SELinux Users To Roles That Conform To Least Privilege

selinux_confine_to_least_privilege

Description

Configure the operating system to confine SELinux users to roles that conform to least privilege. Use the following command to map the "staff_u" SELinux user to the "staff_r" and "sysadm_r" roles:

$ sudo semanage user -m staff_u -R staff_r -R sysadm_r


Use the following command to map the "user_u" SELinux user to the "user_r" role:
$ sudo semanage -m user_u -R user_r

Rationale

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

Ensure No Daemons are Unconfined by SELinux

selinux_confinement_of_daemons

Description

Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the unconfined_service_t context.

To check for unconfined daemons, run the following command:

$ sudo ps -eZ | grep "unconfined_service_t"
It should produce no output in a well-configured system.

Rationale

Daemons which run with the unconfined_service_t context may cause AVC denials, or allow privileges that the daemon does not require.

Elevate The SELinux Context When An Administrator Calls The Sudo Command

selinux_context_elevation_for_sudo

Description

Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. Edit a file in the /etc/sudoers.d directory with the following command:

sudo visudo -f /etc/sudoers.d/CUSTOM_FILE
Use the following example to build the CUSTOM_FILE in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command:
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

Rationale

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

Ensure SELinux is Not Disabled

selinux_not_disabled

Description

The SELinux state should be set to enforcing or permissive at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing or permissive mode:

SELINUX=enforcing
OR
SELINUX=permissive

Rationale

Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux controls without a system reboot. It also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.

Configure SELinux Policy

selinux_policytype

Description

The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:

SELINUXTYPE=$var_selinux_policy_name
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

Rationale

Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to $var_selinux_policy_name.

Ensure SELinux State is Enforcing

selinux_state

Description

The SELinux state should be set to $var_selinux_state at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:

SELINUX=$var_selinux_state

Rationale

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

Map System Users To The Appropriate SELinux Role

selinux_user_login_roles

Description

Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t).

$ sudo semanage login -m -s sysadm_u USER
or
$ sudo semanage login -m -s staff_u USER


All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t).
$ sudo semanage login -m -s user_u USER

Rationale

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.