10.3 Ensure the named_t Process Type is Not in Permissive Mode

Information

In addition to setting the entire SELinux configuration in permissive mode, it is possible to set individual process types (domains) such as named_t into a permissive mode as well. The permissive mode will not prevent any access or actions, instead, any actions that would have been denied are simply logged.

Rationale:

Usage of the permissive mode is helpful for testing and ensuring that SELinux will not prevent access that is necessary for the proper function of the DNS server. However, inappropriate access will not be prevented in permissive mode by SELinux.

Solution

Perform the following to implement the recommended state:

If the named_t type is in permissive mode; the customized permissive mode should be deleted with the following semanage command.

# semanage permissive -d named_t

Default Value:

The named_t type is not in permissive mode by default.

See Also

https://workbench.cisecurity.org/files/2997