{"description": "Configure the operating system to confine SELinux users to roles that conform\nto least privilege. Use the following command to map the \"staff_u\" SELinux user\nto the \"staff_r\" and \"sysadm_r\" roles:\n<pre>$ sudo semanage user -m staff_u -R staff_r -R sysadm_r</pre>\n<br /><br />\nUse the following command to map the \"user_u\" SELinux user to the \"user_r\" role:\n<pre>$ sudo semanage -m user_u -R user_r</pre>", "rationale": "Preventing non-privileged users from executing privileged functions mitigates\nthe risk that unauthorized individuals or processes may gain unnecessary access\nto information or privileges.\n<br /><br />\nPrivileged functions include, for example,\nestablishing accounts, performing system integrity checks, or administering\ncryptographic key management activities. Non-privileged users are individuals\nwho do not possess appropriate authorizations. Circumventing intrusion detection\nand prevention mechanisms or malicious code protection mechanisms are examples\nof privileged functions that require protection from non-privileged users.", "severity": "medium", "references": {"nist": ["AC-3(4)", "AC-6(10)"], "srg": ["SRG-OS-000324-GPOS-00125"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "selinux users are not confined to least privilege", "ocil": "Verify the operating system confines SELinux users to roles that conform to least\nprivilege. Check the SELinux User list to SELinux Roles mapping by using the\nfollowing command:\n<pre>sudo semanage user -l</pre>\nThe output should look like this:\n<pre>SELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles\nguest_u            user  s0  s0  guest_r\nroot                   user  s0  s0-s0:c0.c1023  staff_r sysadm_r system_r unconfined_r\nstaff_u              user  s0  s0-s0:c0.c1023  staff_r sysadm_r\nsysadm_u         user  s0  s0-s0:c0.c1023  sysadm_r\nsystem_u          user  s0  s0-s0:c0.c1023  system_r unconfined_r\nunconfined_u  user  s0  s0-s0:c0.c1023  system_r unconfined_r\nuser_u               user  s0  s0  user_r\nxguest_u           user  s0  s0  xguest_r\n</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Confine SELinux Users To Roles That Conform To Least Privilege", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/selinux/selinux_confine_to_least_privilege/rule.yml", "template": null}