1.5.1.6 Ensure no unconfined services exist

Information

Unconfined processes run in unconfined domains

For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them

Solution

Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.

See Also

https://workbench.cisecurity.org/benchmarks/15286

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|9.2

Plugin: Unix

Control ID: 8f0848923c338ca5343ccb6a86aba06833e5144e221454422aa8ca111e9b6582