mediumaccess-controlunverified
Ensure non-privileged users are confined by SELinux user mapping
selinux-user-mapping · RHEL ≥ 8 · 1 impl
Description
Linux accounts must map to appropriate SELinux users (administrators to staff_u/sysadm_u, non-administrators to user_u) so non-privileged users are confined and cannot execute privileged functions.
Rationale
A regular account mapped to unconfined_u is not restricted by SELinux and can perform privileged actions, defeating mandatory access control.
Check → Remediate
Checkcommand
command -v semanage >/dev/null 2>&1 || { echo "NOT APPLICABLE: semanage not available"; exit 0; }
# The default __default__ login must not map ordinary users to unconfined_u.
def=$(semanage login -l 2>/dev/null | awk '$1=="__default__"{print $2}')
if [ -n "$def" ] && [ "$def" = "unconfined_u" ]; then
echo "FAIL: __default__ login maps to unconfined_u (non-privileged users unconfined)"
exit 1
fi
echo "OK: __default__ SELinux login is $def (review individual mappings against the authorized-user list)"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Map users to appropriate SELinux users, e.g.: semanage login -a -s user_u <username> and set a confined default if required: semanage login -m -s user_u __default__ The authorized administrator list is site-defined.
Framework references
STIG
V-254520 / RHEL-08-040400
NIST 800-53
AC-6(10)
#selinux#user-mapping#semanage#confinement#stig