← Rules Catalog
mediumaccess-controlverified

Ensure no unconfined services exist

selinux-no-unconfined-services · RHEL ≥ 8 · 1 impl

Description

No running service should be in the unconfined_service_t SELinux domain. Unconfined services run without SELinux policy restriction and defeat the mandatory-access-control protection SELinux provides.

Rationale

A service running unconfined is not constrained by SELinux policy, so a compromise of that service is not contained by the mandatory-access-control layer. Every service should run in a confined domain.

Check → Remediate

Checkcommand
n=$(ps -eZ 2>/dev/null | grep -c unconfined_service_t)
if [ "$n" -ne 0 ]; then
  echo "FAIL: $n service(s) running in unconfined_service_t"
  exit 1
fi
echo "OK: no unconfined services"
expected_exit:
0
Remediatemanual
note:
Investigate each service reported by `ps -eZ | grep unconfined_service_t` and confine it with an appropriate SELinux policy module, or remove the service if unneeded.

Framework references

CIS

rhel9 1.3.1.6rhel8 1.3.1.6rhel10 1.3.1.6

NIST 800-53

AC-6SC-3

Live verification

rhel9:check
#selinux#mandatory-access-control#services