11.3 Ensure the httpd_t Type is Not in Permissive Mode

Information

In addition to setting the entire SELinux configuration in permissive mode, it is possible to set individual process types (domains) such as httpd_t into a permissive mode as well. The permissive mode will not prevent any access or actions, instead, any actions that would have been denied are simply logged.

Rationale:

Usage of the permissive mode is helpful for testing and ensuring that SELinux will not prevent access that is necessary for the proper function of a web application. However, all access is allowed in permissive mode by SELinux.

Solution

Perform the following to implement the recommended state:
If the httpd_t type is in permissive mode; the customized permissive mode should be deleted with the following semanage command.

# semanage permissive -d httpd_t

Default Value:

The httpd_t type is not in permissive mode by default.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|CM-7(5), 800-53|CM-10, 800-53|MP-2, CSCv7|2.7

Plugin: Unix

Control ID: ef0e5ef9b1ee42e5d485c1164cae447cac4a3685d5b0eb6c7b4bf957ad38c11c