{"results":[{"id":"containers-use-mcs-for-isolation","text":"SELinux uses MCS (via `container-selinux`) to isolate containers from each other.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"mcs-categories-c0-to-c1023","text":"SELinux Multi-Category Security (MCS) categories range from c0 to c1023 (1024 possible categories).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"mcs-category-labels-setrans-conf","text":"Human-readable MCS category labels are defined in `/etc/selinux/<policy>/setrans.conf` and require restarting the `mcstrans` service to take effect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"mcs-not-default-for-regular-users-targeted","text":"In the `targeted` SELinux policy, MCS is not configured for regular users by default — a CIL module with `(typeattributeset mcs_constrained_type (user_t))` must be installed via `semodule -i`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"polyinstantiation-default-directories","text":"Polyinstantiated directories in SELinux isolate /tmp, /var/tmp, and home directories per-user, preventing race condition attacks and information leaks. Instance directories (/tmp-inst/, /var/tmp/tmp-inst/) hold per-user subdirectories that get bind-mounted over the shared paths.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"restorecon-f-forces-full-relabel-including-user","text":"The `-F` flag on `restorecon` forces a full relabel including the SELinux user field, not just the type.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel-system-roles-key-roles","text":"Key RHEL system roles include `timesync`, `network`, `selinux`, `storage`, `firewall`, `logging`, and `kdump`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-automatable-defense-in-depth","text":"RHEL 9 defense-in-depth security (SELinux enforcing, firewalld, crypto policies, granular audit) is fully automatable at fleet scale through Ansible system roles and SELinux deployment automation (semanage export/import, fixfiles autorelabel, Ansible roles), enabling consistent security posture across hundreds of hosts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-centralized-logging-and-audit-observability","text":"RHEL 9 provides centralized observability through two complementary subsystems: the audit framework (file watches, auid login tracking, compliance rules, dedicated service management) and the logging system role (rsyslog configuration via Ansible with structured input/output/flow variable groups and SELinux-aware port management).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-closed-loop-fleet-security-operations","text":"RHEL 9 enables closed-loop fleet security operations where defense-in-depth configuration (SELinux, firewalld, crypto, audit) is automatable via Ansible system roles while continuously verifiable through audit logging, AIDE integrity monitoring, and OpenSCAP compliance scanning.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-comprehensive-security-posture","text":"RHEL 9 provides a comprehensive security posture integrating defense-in-depth hardened defaults (SELinux, firewalld, crypto policies, audit), continuous compliance monitoring (audit logging, AIDE integrity, OpenSCAP scanning), and layered authentication hardening (pam_faillock, password aging, SSH key-based auth) into a unified security architecture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-container-mcs-isolation","text":"RHEL 9 container isolation leverages the full MCS restrictive access control model: container-selinux assigns unique MCS categories per container, enforced only after DAC and Type Enforcement pass, requiring conjunction of all assigned categories for inter-container access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-dac-through-mac-access-control","text":"RHEL 9 implements layered access control from filesystem-level DAC (ugo/rwx permissions, setgid collaboration, hard/soft links) through SELinux MAC (Type Enforcement as primary policy, per-domain permissive mode, AVC denial logging), with DAC evaluated before MAC.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-defense-in-depth-container-isolation","text":"RHEL 9 containers operate within a defense-in-depth security stack where per-container MCS categories (assigned by container-selinux) provide inter-container isolation, layered on top of SELinux type enforcement, firewalld network controls, system-wide crypto policies, and continuous audit logging — meaning container breakout must defeat not just the container boundary but every surrounding security layer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-defense-in-depth-security-framework","text":"RHEL 9 enforces defense-in-depth through four integrated security layers: hardened defaults (SELinux enforcing, firewalld, crypto policies), granular cryptographic policy lifecycle management, layered SELinux MAC enforcement with type-based policy, and a unified audit subsystem with original-identity tracking across privilege escalation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-dual-authenticated-identity-governed-workload-lifecycle","text":"RHEL 9 workloads are governed across their full lifecycle by dual authentication (subscription for content access, Kerberos for administration) with continuous observability, from identity-authenticated provisioning (IdM/AD-enrolled systems with DNS autodiscovery) through security-governed runtime isolation (SELinux MCS, firewalld, crypto policies) — creating a closed system where no workload phase is unauthenticated, ungoverned, or unobserved.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-dual-workload-isolation-platform","text":"RHEL 9 provides dual workload isolation with distinct security models: virtual machines via the managed KVM/QEMU/libvirt stack with Cockpit web management and hardware-level isolation, and containers via Podman with MCS-enforced category-based separation where each container receives unique SELinux categories enforced after DAC and Type Enforcement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-full-lifecycle-infrastructure","text":"RHEL 9 supports full infrastructure lifecycle from image creation and automated deployment (Image Builder, Kickstart, Anaconda) through content delivery (BaseOS + AppStream repositories) to ongoing configuration management (Ansible system roles with dual naming, covering timesync, network, SELinux, storage, firewall, logging, and kdump).","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-full-stack-hardware-to-data-defense","text":"RHEL 9 defense-in-depth extends from hardware-level CPU mitigations (SMT disable for L1TF/MDS, BPF JIT hardening, unprivileged BPF restrictions) through cryptographic policy enforcement to data-at-rest protection (LUKS2/NBDE encryption and SELinux/MCS mandatory access control), ensuring no single layer's compromise alone exposes stored data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-fully-automated-fleet-security-convergence","text":"RHEL 9 fleet security configuration can converge to desired state through automation alone — Ansible system roles deploy SELinux, firewalld, crypto, and audit policy, while the audit/compliance pipeline verifies convergence — without requiring coordinated maintenance windows for any security subsystem.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":70,"limit":20,"offset":0}