RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.

An XCCDF Rule

Description

<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-257932r1014838_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Restore the SELinux policy for the affected device file from the system policy database using the following command:

$ sudo restorecon -v <device_path>

Substitute "<device_path>" with the path to the affected device file (from the output of the previous commands). An example device file path would be "/dev/ttyUSB0". If the output of the above command does not indicate that the device was relabeled to a more specific SELinux type label, then the SELinux policy of the system must be updated with more specific policy for the device class specified. If a package was used to install support for a device class, that package could be reinstalled using the following command:
$ sudo dnf reinstall <package_name>

If a package was not used to install the SELinux policy for a given device class, then it must be generated manually and provide specific type labels.

RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.

Description

Remediation - Manual Procedure