On 10/4/13 2:55 PM, [email protected] wrote:
Jan,
Doh. The '/selinux/enforce' was RHEL 6 - for Fedora 19 - it's
'/sys/fs/selinux/enforce'
-Frank
On 10/04/2013 02:49 PM, [email protected] wrote:
Jan,
You might consider checking if the '/selinux/enforce' file exists and
the file contains '1' (1 is enforcing). That would ensure that
SELinux enabled and enforcing the policy.
Regards,
Frank Caviggia
On 10/04/2013 01:11 PM, Jan Lieskovsky wrote:
Introduce new SELinux section of the guide and first rule
for it - check if SELinux is enabled in currently
booted kernel.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Within the OVAL:
+ <ind:textfilecontent54_test check="all"
check_existence="only_one_exists" comment="check for existence of
selinuxfs in /proc/mounts file"
id="test_ensure_selinuxfs_in_proc_mounts" version="1" >
+ <ind:object object_ref="obj_ensure_selinuxfs_in_proc_mounts" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object
id="obj_ensure_selinuxfs_in_proc_mounts" version="1">
+ <ind:filepath>/proc/mounts</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*selinuxfs\s*/sys/fs/selinux\s*selinuxfs\s*rw,relatime\s*0\s*0\s*$</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
Caviggia and I were chatting earlier today.... while the /proc/mounts
reflects that selinux is loaded into the kernel, IIRC, it doesn't
indicate that it's actually *enforcing* on the system. This poses an
interesting challenge...
Within the RHEL6 content, we:
- Check for selinux=1 within grub
- Check for SELINUX=enforcing within /etc/selinux/config
These checks do not reflect *runtime* enablement of SELinux, but
unfortunately neither does /proc/mounts:
[shawn@SSG-RHEL6 checks]$ getenforce
Enforcing
[shawn@SSG-RHEL6 checks]$ cat /proc/mounts | grep selinux
none /selinux selinuxfs rw,relatime 0 0
[shawn@SSG-RHEL6 checks]$ sudo setenforce 0
[sudo] password for shawn:
[shawn@SSG-RHEL6 checks]$ cat /proc/mounts | grep selinux
none /selinux selinuxfs rw,relatime 0 0
Is there another crafty way to verify that selinux is *enforcing*?
Perhaps checking the value in /etc/selinux instead?
[shawn@SSG-RHEL6 self]$ cat /selinux/enforce
1
[shawn@SSG-RHEL6 self]$ sudo setenforce 0
[shawn@SSG-RHEL6 self]$ cat /selinux/enforce
0
If that's a non-reputable source of SELinux enablement, we should add an
appropriate XCCDF and OVAL rule to Fedora & RHEL streams.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
