Rule ID
SV-282613r1201304_rule
Version
V1R1
CCIs
Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place nonproduction systems in "permissive" mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to "targeted".
Note: At lower classification levels (CUI, Secret) where vast amounts of data are processed and a performance impact is occurring, an authorizing official can consider this requirement not applicable. Check that TOSS verifies correct operation of all security functions. Determine if "SELinux" is active and is enforcing the targeted policy using the following command: $ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 If the "Loaded policy name" is not set to "targeted", this is a finding. Verify the "/etc/selinux/config" file is configured with the "SELINUXTYPE" of "targeted": $ sudo grep -i "selinuxtype" /etc/selinux/config | grep -v '^#' SELINUXTYPE = targeted If no results are returned, or "SELINUXTYPE" is not set to "targeted", this is a finding.
Configure the operating system to verify correct operation of all security functions. Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line: SELINUXTYPE=targeted Restart the system for the changes to take effect.