CME-301
SELinux (Enforcing Mode)
Description
Mandatory access control system that confines processes to least-privilege security domains. Even if a process is compromised, it cannot access files, ports, or other processes outside its policy-defined domain.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Scope (S) | C → U | Compromised process cannot escape its SELinux domain to affect other services |
| Confidentiality (C) | H → L | Process cannot read files outside its policy-allowed set |
| Integrity (I) | H → L | Process cannot modify files or resources outside its domain |
CWE Relationships
Verification
Verify SELinux is in enforcing mode
$ getenforce
# Expected: Enforcing
# Expected: Enforcing
Platform: rhel
$ sestatus | grep 'Current mode'
# Expected: Current mode: enforcing
# Expected: Current mode: enforcing
Platform: rhel