Ensure SELinux is Not Disabled

Classification:

compliance

Framework:

Control:

Description

The SELinux state should be set to enforcing or permissive at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing or permissive mode:

SELINUX=enforcing

OR

SELINUX=permissive

Rationale

Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux controls without a system reboot. It also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/selinux/config" ] ; then
 
 LC\_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
else
 touch "/etc/selinux/config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/selinux/config"

cp "/etc/selinux/config" "/etc/selinux/config.bak"
# Insert at the end of the file
printf '%s\n' "SELINUX=permissive" >> "/etc/selinux/config"
# Clean up after ourselves.
rm "/etc/selinux/config.bak"

fixfiles onboot
fixfiles -f relabel

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure SELinux is Not Disabled
 block:

 - name: Check for duplicate values
 lineinfile:
 path: /etc/selinux/config
 create: false
 regexp: ^SELINUX=
 state: absent
 check\_mode: true
 changed\_when: false
 register: dupes

 - name: Deduplicate values from /etc/selinux/config
 lineinfile:
 path: /etc/selinux/config
 create: false
 regexp: ^SELINUX=
 state: absent
 when: dupes.found is defined and dupes.found > 1

 - name: Insert correct line to /etc/selinux/config
 lineinfile:
 path: /etc/selinux/config
 create: true
 regexp: ^SELINUX=
 line: SELINUX=permissive
 state: present
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-86151-8
 - high\_severity
 - low\_complexity
 - low\_disruption
 - reboot\_required
 - restrict\_strategy
 - selinux\_not\_disabled

Warning

In case the SELinux is “disabled”, the automated remediation will adopt a more conservative approach and set it to “permissive” in order to avoid any system disruption and give the administrator the opportunity to assess the impact and necessary efforts before setting it to “enforcing”, which is strongly recommended.