Description

Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the unconfined_service_t context.

To check for unconfined daemons, run the following command:

$ sudo ps -eZ | grep "unconfined_service_t"

It should produce no output in a well-configured system.

Rationale

Daemons which run with the unconfined_service_t context may cause AVC denials, or allow privileges that the daemon does not require.

Warning

Automatic remediation of this control is not available. Remediation can be achieved by amending SELinux policy or stopping the unconfined daemons as outlined above.