Ensure No Device Files are Unlabeled by SELinux
An XCCDF Rule
Description
Device files, which are used for communication with important system
resources, should be labeled with proper SELinux types. If any device files
carry the SELinux type device_t or unlabeled_t, report the
bug so that policy can be corrected. Supply information about what the
device is and what programs use it.
To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"It should produce no output in a well-configured system.
warning alert: Warning
Automatic remediation of this control is not available. The remediation
can be achieved by amending SELinux policy.
Rationale
If a device file carries the SELinux type device_t or
unlabeled_t, then SELinux cannot properly restrict access to the
device file.
- ID
- xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled
- Severity
- Medium
- References
-
A.10.1.1
A.11.1.4
A.11.1.5
A.11.2.1
A.12.1.2
A.12.4.1
A.12.4.2
A.12.4.3
A.12.4.4
A.12.5.1
A.12.6.2
A.12.7.1
A.13.1.1
A.13.1.3
A.13.2.1
A.13.2.3
A.13.2.4
A.14.1.2
A.14.1.3
A.14.2.2
A.14.2.3
A.14.2.4
A.14.2.7
A.15.2.1
A.6.1.2
A.7.1.1
A.7.1.2
A.7.3.1
A.8.2.2
A.8.2.3
A.9.1.1
A.9.1.2
A.9.2.3
A.9.4.1
A.9.4.4
A.9.4.5
- Updated