{"description": "The SELinux targeted policy is appropriate for\ngeneral-purpose desktops and servers, as well as systems in many other roles.\nTo configure the system to use this policy, add or correct the following line\nin /etc/selinux/config:\nSELINUXTYPE=
\nOther policies, such as mls, provide additional security labeling\nand greater confinement but are not compatible with many general-purpose\nuse cases.", "rationale": "Setting the SELinux policy to targeted or a more specialized policy\nensures the system will confine processes that are likely to be\ntargeted for exploitation, such as network or system services.\n
\nNote: During the development or debugging of SELinux modules, it is common to\ntemporarily place non-production systems in permissive mode. In such\ntemporary cases, SELinux policies should be developed, and once work\nis completed, the system should be reconfigured to\n.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "18", "3", "4", "5", "6", "8", "9"], "cobit5": ["APO01.06", "APO11.04", "APO13.01", "BAI03.05", "DSS01.05", "DSS03.01", "DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.02", "DSS06.03", "DSS06.06", "MEA02.01"], "cui": ["3.1.2", "3.7.2"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)", "164.308(a)(4)", "164.310(b)", "164.310(c)", "164.312(a)", "164.312(e)"], "isa-62443-2009": ["4.2.3.4", "4.3.3.2.2", "4.3.3.3.9", "4.3.3.4", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.4.7", "4.4.2.1", "4.4.2.2", "4.4.2.4", "4.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.12.1.1", "A.12.1.2", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.1.2", "A.13.1.3", "A.13.2.1", "A.13.2.2", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.2", "CIP-003-8 R5.3", "CIP-004-6 R2.2.3", "CIP-004-6 R2.3", "CIP-004-6 R3.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.2", "CIP-007-3 R5.2", "CIP-007-3 R5.3.1", "CIP-007-3 R5.3.2", "CIP-007-3 R5.3.3", "CIP-007-3 R6.5"], "nist": ["AC-3", "AC-3(3)(a)", "AU-9", "SC-7(21)"], "nist-csf": ["DE.AE-1", "ID.AM-3", "PR.AC-4", "PR.AC-5", "PR.AC-6", "PR.DS-5", "PR.PT-1", "PR.PT-3", "PR.PT-4"], "ospp": ["FMT_MOF_EXT.1"], "srg": ["SRG-OS-000445-GPOS-00199", "SRG-APP-000233-CTR-000585"], "anssi": ["R46", "R64"], "bsi": ["APP.4.4.A4", "SYS.1.6.A3", "SYS.1.6.A18", "SYS.1.6.A21"], "ism": ["1409"], "pcidss4": ["1.2.6", "1.2"]}, "control_references": {"anssi": ["R46", "R64"], "bsi": ["APP.4.4.A4", "SYS.1.6.A3", "SYS.1.6.A18", "SYS.1.6.A21"], "ism": ["1409"], "pcidss4": ["1.2.6", "1.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the loaded policy name is not \"\"", "ocil": "Verify the SELINUX on Ubuntu 22.04 is using the policy with the following command:\n\n$ sestatus | grep policy\n\nLoaded policy name: ", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to use the SELINUX policy.\n\nEdit the file /etc/selinux/config and add or modify the following line:\nSELINUXTYPE=
\n\nA reboot is required for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must enable the SELinux targeted policy.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must enable the SELinux targeted policy.", "vuldiscussion": "Setting the SELinux policy to \"targeted\" or a more specialized policy\nensures the system will confine processes that are likely to be\ntargeted for exploitation, such as network or system services.\n\n\n\nNote: During the development or debugging of SELinux modules, it is common to\ntemporarily place non-production systems in \"permissive\" mode. In such\ntemporary cases, SELinux policies should be developed, and once work\nis completed, the system should be reconfigured to\n\"targeted\".", "checktext": "Verify the SELINUX on Ubuntu 22.04 is using the targeted policy with the following command:\n\n$ sestatus | grep policy\n\nLoaded policy name: targeted\n\nIf the loaded policy name is not \"targeted\", this is a finding.", "fixtext": "Configure Ubuntu 22.04 to use the targetd SELINUX policy.\n\nEdit the file \"/etc/selinux/config\" and add or modify the following line:\n\n SELINUXTYPE=targeted\n\nA reboot is required for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure SELinux Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/selinux/selinux_policytype/rule.yml", "template": {"name": "key_value_pair_in_file", "vars": {"path": "/etc/selinux/config", "prefix_regex": "^", "key": "SELINUXTYPE", "xccdf_variable": "var_selinux_policy_name", "sep": "=", "sep_regex": "=", "app": "selinux", "test_correct_value": "targeted", "test_wrong_value": "mls"}, "backends": {}}}