1.3.1.6 Ensure no unconfined services exist

Information

Unconfined processes run in unconfined domains

For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them

Solution

Investigate any unconfined processes found during the audit action. If necessary create a customize SELinux policy to allow necessary actions for the service.

Warning: Knowledge about creating and configuring SELinux policies is needed. A Basic example on how to create a policy is included below.

-

Identify the unconfined service: determine the name and process of the service

-

Identify the functionality: determine if the functionality is required for operations

-

Create or add to the custom allow list in the SELinux policy configuration

Example SELinux policy configuration: service_allowlist_policy.te

# Example SELinux policy configuration for allowing access to specific actions and resources for a service

module my_service 1.0;

require {
type my_service_t;
type system_resource_t;
class file { read write execute };
class dir { read write add_name };
class tcp_socket name_connect;
}

allow my_service_t system_resource_t:file { read write execute }; # Allow my_service_t to read, write, and execute files with the system_resource_t context

allow my_service_t system_resource_t:dir { read write add_name }; # Allow my_service_t to read and write to directories with the system_resource_t context

allow my_service_t system_resource_t:tcp_socket name_connect; # Allow my_service_t to establish TCP connections <xhtml:ol start="4"> - Compile the policy

# checkmodule -M -, -o service_allowlist_policy.mod service_allowlist_policy.te <xhtml:ol start="5"> - Create the package

# semodule_package -o service_allowlist_policy.pp -m service_allowlist_policy.mod <xhtml:ol start="6"> - Load the policy

# semodule -i service_allowlist_policy.pp <xhtml:ol start="7"> - Apply the policy to the service

# chcon -t se service_allowlist_policy /path/to/service_binary

Impact:

Confining a service that inherently requires unconfined access to function may disrupt its intended operations. This restriction may lead to downtime, degraded performance, or loss in functionality. It is crucial to analyze and adjust SELinux policies in accordance with site security policies and operational requirements.

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|9.2

Plugin: Unix

Control ID: c7adab52b665f2ba3a8d07b26cb0dbb6f06f888066ceb570ea4d2bb03d0b1d2e