Details

In addition to setting the entire SELinux configuration in permissive mode, it is possible to set individual process types (domains) such as httpd_t into a permissive mode as well. The permissive mode will not prevent any access or actions, instead, any actions that would have been denied are simply logged.

Rationale:

Usage of the permissive mode is helpful for testing and ensuring that SELinux will not prevent access that is necessary for the proper function of a web application. However, all access is allowed in permissive mode by SELinux.

Solution

Perform the following to implement the recommended state:

If the httpd_t type is in permissive mode; the customized permissive mode should be deleted with the following semanage command.

# semanage permissive -d httpd_t

Default Value:

The httpd_t type is not in permissive mode by default.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3021https://workbench.cisecurity.org/files/3021

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CSCv6|14.4
• CSCv7|14.6

Source

• Tenable.com/audits