Profile Applicability:
• Level 1
Description:
Unconfined services run without SELinux policy enforcement, potentially increasing the risk of unauthorized actions or privilege escalation. Ensuring all services run confined by SELinux policies improves system security by enforcing mandatory access controls.
Rationale:
Restricting all services to run under SELinux confinement minimizes attack surfaces and limits damage from compromised services.
Impact:
Pros:
Enhances system security by enforcing SELinux confinement on all services.
Reduces risk of privilege escalation and unauthorized access.
Cons:
Some services may require policy tuning to operate correctly under confinement.
Misconfiguration could cause service failures.
Default Value:
Some services may run unconfined by default depending on system configuration.
Pre-requisites:
Root or sudo privileges to audit and modify SELinux policies and service configurations.
Remediation:
Test Plan:
Using Linux command line:
1. List all running services and their SELinux context:
ps -eZ | grep unconfined_service
2. Identify services running in unconfined_t or similar contexts:
ps -eZ | grep unconfined_t
3. Verify no critical services run unconfined.
Implementation Plan:
Using Linux command line:
Create or adjust SELinux policies to confine unconfined services.
Reload or restart services to apply new SELinux contexts.
Audit SELinux logs for denials and adjust policies as needed.
Backout Plan:
Using Linux command line:
Revert SELinux policy changes if services fail.
- Temporarily set SELinux to permissive mode for troubleshooting:
setenforce 0
Monitor system behavior and reapply policies carefully.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
SELinux Project Documentation
Red Hat SELinux Guide