mediumaccess-controlverified ✓
Ensure no unconfined services exist
selinux-no-unconfined-services · RHEL ≥ 8 · 1 impl
Description
No running service should be in the unconfined_service_t SELinux domain. Unconfined services run without SELinux policy restriction and defeat the mandatory-access-control protection SELinux provides.
Rationale
A service running unconfined is not constrained by SELinux policy, so a compromise of that service is not contained by the mandatory-access-control layer. Every service should run in a confined domain.
Check → Remediate
Checkcommand
n=$(ps -eZ 2>/dev/null | grep -c unconfined_service_t) if [ "$n" -ne 0 ]; then echo "FAIL: $n service(s) running in unconfined_service_t" exit 1 fi echo "OK: no unconfined services"
- expected_exit:
- 0
Remediatemanual
- note:
- Investigate each service reported by `ps -eZ | grep unconfined_service_t` and confine it with an appropriate SELinux policy module, or remove the service if unneeded.
Framework references
CIS
rhel9 1.3.1.6rhel8 1.3.1.6rhel10 1.3.1.6
NIST 800-53
AC-6SC-3
Live verification
rhel9:check
#selinux#mandatory-access-control#services