Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 8. Applying security policies

During the in-place upgrade process, the Leapp utility must switch the SELinux policy to permissive mode. Furthermore, security profiles might contain changes between major releases.

To restore system security, switch SELinux to enforcing mode again. You might also want to remediate the system to be compliant with a specific security profile. Also, some security-related components require pre-update steps for a correct upgrade.

The in-place upgrade process preserves the system-wide cryptographic policy you used in RHEL 9. Custom cryptographic policies are also preserved across the in-place upgrade.

8.1. Changing SELinux mode to enforcing
Copy link

During the in-place upgrade process, the Leapp utility sets SELinux mode to permissive. After you finish the system upgrade, you must manually change SELinux mode to enforcing.

Prerequisites

Procedure

  1. Ensure that there are no SELinux denials, for example, by using the ausearch utility: 

    # ausearch -m AVC,USER_AVC -ts boot
    Copy to Clipboard Toggle word wrap

    Note that the previous step covers only the most common scenario. To check for all possible SELinux denials, see the Identifying SELinux denials section in the Using SELinux title, which provides a complete procedure.

  2. Open the /etc/selinux/config file in a text editor of your choice, for example: 

    # vi /etc/selinux/config
    Copy to Clipboard Toggle word wrap

  3. Configure the SELINUX=enforcing option: 

    # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
    Copy to Clipboard Toggle word wrap

  4. Save the change, and restart the system: 

    # reboot
    Copy to Clipboard Toggle word wrap

Verification

  1. After the system restarts, confirm that the getenforce command returns Enforcing: 

    $ getenforce
Enforcing
    Copy to Clipboard Toggle word wrap

To get a fully hardened system after a successful upgrade to RHEL 10, you can use automated remediation provided by the OpenSCAP suite.

OpenSCAP remediations align your system with security baselines, such as PCI-DSS, OSPP, or ACSC Essential Eight. The configuration compliance recommendations differ among major versions of RHEL due to the evolution of the security offering.

When upgrading a hardened RHEL 9 system, the Leapp tool does not provide direct means to retain the full hardening. Depending on the changes in the component configuration, the system might diverge from the recommendations for RHEL 10 during the upgrade.

Note

You cannot use the same SCAP content for scanning RHEL 9 and RHEL 10. Update the management platforms if the compliance of the system is managed by tools such as Red Hat Satellite or Red Hat Lightspeed.

As an alternative to automated remediations, you can make the changes manually by following an OpenSCAP-generated report. For information about generating a compliance report, see Scanning the system for configuration compliance.

Important

Automated remediations support RHEL systems in the default configuration. Because the system configuration has been altered after the upgrade, running automated remediations might not make the system fully compliant with the required security profile. You might need to fix some requirements manually.

The following example procedure hardens your system settings according to the PCI-DSS profile.

Prerequisites

  • The scap-security-guide package is installed on your RHEL 10 system.

Procedure

  1. Find the appropriate security compliance data stream .xml file: 

    $ ls /usr/share/xml/scap/ssg/content/
…
ssg-rhel10-ds.xml
…
    Copy to Clipboard Toggle word wrap

    See the Viewing profiles for configuration compliance section for more information.

  2. Remediate the system according to the selected profile from the appropriate data stream: 

    # oscap xccdf eval --profile <profile_ID> --remediate /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace <profile_ID> with the ID of the profile according to which you want to harden your system. For a full list of profiles supported in RHEL 10, see SCAP Security Guide profiles supported in RHEL 10.

    Warning

    If not used carefully, running the system evaluation with the --remediate option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.

  3. Restart your system: 

    # reboot
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the system is compliant with the profile, and save the results in an HTML file: 

    $ oscap xccdf eval --report pcidss_report.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top