{"description": "The SELinux state should be set to enforcing or permissive at system boot\ntime. In the file /etc/selinux/config, add or correct the following line to configure\nthe system to boot into enforcing or permissive mode:\nSELINUX=enforcing
\nOR\nSELINUX=permissive
\nEnsure that all files have correct SELinux labels by running:\nfixfiles onboot
\nThen reboot the system.", "rationale": "Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux\ncontrols without a system reboot. It also avoids labeling any persistent objects such as\nfiles, making it difficult to enable SELinux in the future.", "severity": "high", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "SELinux is disabled", "ocil": "Ensure that Ubuntu 22.04 does not disable SELinux.\n\nCheck if \"SELinux\" is active and in \"enforcing\" or \"permissive\" mode with the following command:\n\n$ sudo getenforce\nEnforcing\n-OR-\nPermissive", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to enable SELinux.\n\nEdit the file /etc/selinux/config and add or modify the following line:\nSELINUX=enforcing
\nOR\nSELINUX=permissive
\n\nA reboot is required for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "In case the SELinux is \"disabled\", the automated remediation will adopt a more\nconservative approach and set it to \"permissive\" in order to avoid any system disruption\nand give the administrator the opportunity to assess the impact and necessary efforts\nbefore setting it to \"enforcing\", which is strongly recommended."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure SELinux is Not Disabled", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml", "template": null}