Configure SELinux Policy

Docs > Datadog Security > OOTB Rules > Configure SELinux Policy

Classification:

compliance

Framework:

Control:

Description

The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:

SELINUXTYPE=targeted

Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

Rationale

Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to targeted.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var\_selinux\_policy\_name='targeted'


if [ -e "/etc/selinux/config" ] ; then
 
 LC\_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config"
else
 touch "/etc/selinux/config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/selinux/config"

cp "/etc/selinux/config" "/etc/selinux/config.bak"
# Insert at the end of the file
printf '%s\n' "SELINUXTYPE=$var\_selinux\_policy\_name" >> "/etc/selinux/config"
# Clean up after ourselves.
rm "/etc/selinux/config.bak"

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: XCCDF Value var\_selinux\_policy\_name # promote to variable
 set\_fact:
 var\_selinux\_policy\_name: !!str targeted
 tags:
 - always

- name: Configure SELinux Policy
 block:

 - name: Check for duplicate values
 lineinfile:
 path: /etc/selinux/config
 create: false
 regexp: ^SELINUXTYPE=
 state: absent
 check\_mode: true
 changed\_when: false
 register: dupes

 - name: Deduplicate values from /etc/selinux/config
 lineinfile:
 path: /etc/selinux/config
 create: false
 regexp: ^SELINUXTYPE=
 state: absent
 when: dupes.found is defined and dupes.found > 1

 - name: Insert correct line to /etc/selinux/config
 lineinfile:
 path: /etc/selinux/config
 create: true
 regexp: ^SELINUXTYPE=
 line: SELINUXTYPE={{ var\_selinux\_policy\_name }}
 state: present
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27279-9
 - DISA-STIG-RHEL-07-020220
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3
 - NIST-800-53-AC-3(3)(a)
 - NIST-800-53-AU-9
 - NIST-800-53-SC-7(21)
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - reboot\_required
 - restrict\_strategy
 - selinux\_policytype