11.3 Ensure the httpd_t Type Is Not in Permissive Mode

Information

In addition to setting the entire SELinux configuration in permissive mode, it is possible to set individual process types (domains) such as 'httpd_t' into permissive mode as well. Permissive mode will not prevent any access or actions; instead, any actions that would have been denied are simply logged.

Rationale:

Usage of permissive mode is helpful for testing and ensuring that SELinux will not prevent access that is necessary for the proper function of a web application. However, all access is allowed in permissive mode by SELinux.

Solution

Perform the following to implement the recommended state:

If the 'httpd_t' type is in permissive mode, the customized permissive mode should be deleted with the following 'semanage' command.

# semanage permissive -d httpd_t

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.6

Plugin: Unix

Control ID: c09b90d736518360203ce7deb9f1a8fc585de16946965264cd9e2cdf80353f0c