Chapter 6. Applying security policies

During the in-place upgrade process, certain security policies must remain disabled. Furthermore, RHEL 8 introduces a new concept of system-wide cryptographic policies and also security profiles might contain changes between major releases. This section guides you when securing your upgraded RHEL systems.

6.1. Changing SELinux mode to enforcing

During the in-place upgrade process, the Leapp utility sets SELinux mode to permissive. When the system is successfully upgraded, you have to manually change SELinux mode to enforcing.



  1. Ensure that there are no SELinux denials, for example, by using the ausearch utility:

    # ausearch -m AVC,USER_AVC -ts boot

    Note that the previous step covers only the most common scenario. To check for all possible SELinux denials, see the Identifying SELinux denials section in the Using SELinux title, which provides a complete procedure.

  2. Open the /etc/selinux/config file in a text editor of your choice, for example:

    # vi /etc/selinux/config
  3. Configure the SELINUX=enforcing option:

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #       enforcing - SELinux security policy is enforced.
    #       permissive - SELinux prints warnings instead of enforcing.
    #       disabled - No SELinux policy is loaded.
    # SELINUXTYPE= can take one of these two values:
    #       targeted - Targeted processes are protected,
    #       mls - Multi Level Security protection.
  4. Save the change, and restart the system:

    # reboot

Verification steps

  1. After the system restarts, confirm that the getenforce command returns Enforcing:

    $ getenforce

6.2. Setting system-wide cryptographic policies

Crypto policies is a system component that configures the core cryptographic subsystems, covering the TLS, IPSec, SSH, DNSSec, and Kerberos protocols.

After a successful installation or an in-place upgrade process, the system-wide cryptographic policy is automatically set to DEFAULT. The DEFAULT system-wide cryptographic policy level offers secure settings for current threat models.

To view or change the current system-wide cryptographic policy, use the update-crypto-policies tool:

$ update-crypto-policies --show

For example, the following command switches the system-wide crypto policy level to FUTURE, which should withstand any near-term future attacks:

# update-crypto-policies --set FUTURE
Setting system policy to FUTURE

RHEL 8.2 also introduces customization of system-wide cryptographic policies. For details, see the Customizing system-wide cryptographic policies with policy modifiers and Creating and setting a custom system-wide cryptographic policy sections.

Additional resources

6.3. Remediating the system to a security baseline

The OpenSCAP suite provides remediations to make your system compliant with security baselines, such as PCI-DSS, OSPP, or ACSC E8. Use the steps in the following procedure for changing your system settings to conform with the PCI-DSS profile.


Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.


  • The scap-security-guide package is installed on your RHEL 8 system.


  1. Use the oscap command with the --remediate option:

    # oscap xccdf eval --profile pci-dss --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

    You can replace pci-dss in the previous example by a profile required by your scenario.

  2. Restart your system:

    # reboot

Verification steps

  1. Evaluate the system of how it complies with the PCI-DSS profile, and save results to the pcidss_report.html file:

    $ oscap xccdf eval --report pcidss_report.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources