On 03/16/2016 07:26 PM, Mackanick, Jason W CIV DISA RE (US) wrote:
I am here with Shawn Wells today and we would like your help in developing the requirements for a possible inclusion of SELinux requirements to be included in the RHEL7 STIG. As we move away from legacy file permissions to type enforcement, we would like to work with the community to understand security relevant configuration options such as SELinux Booleans used in operational environments. To calm any fears associated with SELinux, we are only considering targeted policy and not the MLS enablement. Shawn will be working to gather your input. Any of your input would be appreciated if we could get it by Tuesday March 22, 2016 at the end of business.
Hello Jason,
After talking with selinux crew here in Red Hat, I have learned that defaults for selinux booleans are set rather defensively. The default is always the more secure unless too generic use-case would be restricted.
There is over 300 houndred selinux booleans in Red Hat Enterprise Linux 7. I wonder where we can start. Or do you have some specific booleans in mind?
Perhaps it makes sense to go through these 300 hundreds and put them into some kind of buckets? Something like
booleans that should absolutely always be true booleans that should always be false
booleans that default to true, but operators may often need to turn them false ...
booleans that default to true, but stig advices to keep them false ...
Thoughts? ~š.