Configure SELinux - Part 3

Ensure SELinux policy is configured

Overview:

Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.

Why:

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met.

Audit:

Run the following commands and ensure output matches “default” or “mls”:

# grep SELINUXTYPE= /etc/selinux/config 
SELINUXTYPE=default 
# sestatus
Policy from config file: default

Fix:

Edit the /etc/selinux/config file to set the SELINUXTYPE parameter:

SELINUXTYPE=default

Ensure no unconfined daemons exist

Overview:

Daemons that are not defined in SELinux policy will inherit the security context of their parent process.

Why:

Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t. This could cause the unintended consequence of giving the process more permission than it requires.

Audit:

Run the following command and verify not output is produced:

ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'

Fix:

Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.