Hi Shawn, > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Monday, October 7, 2013 4:40:48 AM > Subject: Re: [PATCH] [Fedora] Introduce 'Ensure SELinux Not Disabled in > Currently Running Kernel' rule > > On 10/5/13 12:07 PM, [email protected] wrote: > > Shawn, > > > > If these files exist and contain '1': > > > > '/selinux/enforce' - RHEL 6 > > '/sys/fs/selinux/enforce' - Fedora 19 > > > > Then SELinux is enabled and enforcing - the filesystem can only exist > > if SELinux is enabled, the contents are the enforcement status. > > So then, should we update the existing SELinux OVAL to check for both > the static /etc/selinux/config *and* runtime /selinux/enforce values?
See my reply in other post. If we want to check just proper configuration, current rules (check if SELinux enforcing / SELinux policy targeted) are sufficient. But if we want to check also the running system, then yes, we should update the rules to check if SELinux is loaded and if /selinux/enforce = 1 for RHEL-6. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
