During a recent review, it was found that the text written did not use the
correct selinux type. This means it will not find the system problem that
the text was describing.
Signed-off-by: sgrubb <sgrubb(a)redhat.com>
---
Fedora/input/system/selinux.xml | 9 ++++-----
RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml | 10 +++++-----
RHEL/6/input/system/selinux.xml | 7 +++----
RHEL/7/input/system/selinux.xml | 5 ++---
shared/references/disa-stig-rhel6-v1r5-xccdf-manual.xml | 6 +++---
5 files changed, 17 insertions(+), 20 deletions(-)
diff --git a/Fedora/input/system/selinux.xml b/Fedora/input/system/selinux.xml
index f0e234b..f837dba 100644
--- a/Fedora/input/system/selinux.xml
+++ b/Fedora/input/system/selinux.xml
@@ -167,17 +167,16 @@ or allow privileges that the daemon does not require.
</Rule>
<Rule id="selinux_all_devicefiles_labeled">
-<title>Ensure No Device Files are Unlabeled by SELinux</title>
+<title>Ensure No Device Files are Unknown to SELinux</title>
<description>Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
-files carry the SELinux type <tt>unlabeled_t</tt>, investigate the cause and
-correct the file's context.
+files carry the SELinux type <tt>device_t</tt>, report the bug so that policy
can be corrected. Supply information about what the device is and what programs use it.
</description>
-<ocil clause="there is output">To check for unlabeled device files, run
the following command:
+<ocil clause="there is output">To check for unknown device files, run the
following command:
<pre>$sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf
"%p %Z\n"</pre>
It should produce no output in a well-configured system.</ocil>
<rationale>
-If a device file carries the SELinux type <tt>unlabeled_t</tt>, then SELinux
+If a device file carries the SELinux type <tt>device_t</tt>, then SELinux
cannot properly restrict access to the device file.
</rationale>
<!--oval id="selinux_all_devicefiles_labeled" /-->
diff --git a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml
b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml
index 3e99347..094225f 100644
--- a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml
+++ b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml
@@ -5,23 +5,23 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>All device files in /dev should be assigned an SELinux security
context other than 'unlabeled_t'.</description>
+ <description>All device files in /dev should be assigned an SELinux security
context other than 'device_t'.</description>
</metadata>
<criteria>
- <criterion comment="unlabeled_t in /dev"
test_ref="test_selinux_all_devicefiles_labeled" />
+ <criterion comment="device_t in /dev"
test_ref="test_selinux_all_devicefiles_labeled" />
</criteria>
</definition>
- <linux:selinuxsecuritycontext_test check="none satisfy"
check_existence="any_exist" comment="unlabeled_t in /dev"
id="test_selinux_all_devicefiles_labeled" version="2">
+ <linux:selinuxsecuritycontext_test check="none satisfy"
check_existence="any_exist" comment="device_t in /dev"
id="test_selinux_all_devicefiles_labeled" version="2">
<linux:object object_ref="object_selinux_all_devicefiles_labeled" />
<linux:state state_ref="state_selinux_all_devicefiles_labeled" />
</linux:selinuxsecuritycontext_test>
- <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev"
id="object_selinux_all_devicefiles_labeled" version="1">
+ <linux:selinuxsecuritycontext_object comment="device_t in /dev"
id="object_selinux_all_devicefiles_labeled" version="1">
<linux:behaviors recurse_direction="down" />
<linux:path>/dev</linux:path>
<linux:filename operation="pattern
match">^.*$</linux:filename>
<filter
action="include">state_selinux_all_devicefiles_labeled</filter>
</linux:selinuxsecuritycontext_object>
<linux:selinuxsecuritycontext_state comment="do it"
id="state_selinux_all_devicefiles_labeled" version="1">
- <linux:type datatype="string"
operation="equals">unlabeled_t</linux:type>
+ <linux:type datatype="string"
operation="equals">device_t</linux:type>
</linux:selinuxsecuritycontext_state>
</def-group>
diff --git a/RHEL/6/input/system/selinux.xml b/RHEL/6/input/system/selinux.xml
index 5118427..e54f6ef 100644
--- a/RHEL/6/input/system/selinux.xml
+++ b/RHEL/6/input/system/selinux.xml
@@ -191,17 +191,16 @@ or allow privileges that the daemon does not require.
</Rule>
<Rule id="selinux_all_devicefiles_labeled">
-<title>Ensure No Device Files are Unlabeled by SELinux</title>
+<title>Ensure No Device Files are Unknown to SELinux</title>
<description>Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
-files carry the SELinux type <tt>unlabeled_t</tt>, investigate the cause and
-correct the file's context.
+files carry the SELinux type <tt>device_t</tt>, report the bug so that policy
can be corrected. Supply information about what the device is and what programs use it.
</description>
<ocil clause="there is output">To check for unlabeled device files, run
the following command:
<pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf
"%p %Z\n"</pre>
It should produce no output in a well-configured system.</ocil>
<rationale>
-If a device file carries the SELinux type <tt>unlabeled_t</tt>, then SELinux
+If a device file carries the SELinux type <tt>device_t</tt>, then SELinux
cannot properly restrict access to the device file.
</rationale>
<ident cce="26774-0" stig="RHEL-06-000025" />
diff --git a/RHEL/7/input/system/selinux.xml b/RHEL/7/input/system/selinux.xml
index 98d5b83..ed3896a 100644
--- a/RHEL/7/input/system/selinux.xml
+++ b/RHEL/7/input/system/selinux.xml
@@ -177,14 +177,13 @@ or allow privileges that the daemon does not require.
<title>Ensure No Device Files are Unlabeled by SELinux</title>
<description>Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
-files carry the SELinux type <tt>unlabeled_t</tt>, investigate the cause and
-correct the file's context.
+files carry the SELinux type <tt>device_t</tt>, report the bug so that policy
can be corrected. Supply information about what the device is and what programs use it.
</description>
<ocil clause="there is output">To check for unlabeled device files, run
the following command:
<pre>$sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf
"%p %Z\n"</pre>
It should produce no output in a well-configured system.</ocil>
<rationale>
-If a device file carries the SELinux type <tt>unlabeled_t</tt>, then SELinux
+If a device file carries the SELinux type <tt>device_t</tt>, then SELinux
cannot properly restrict access to the device file.
</rationale>
<ident cce="27326-8" />
diff --git a/shared/references/disa-stig-rhel6-v1r5-xccdf-manual.xml
b/shared/references/disa-stig-rhel6-v1r5-xccdf-manual.xml
index aeba70b..24feac9 100644
--- a/shared/references/disa-stig-rhel6-v1r5-xccdf-manual.xml
+++ b/shared/references/disa-stig-rhel6-v1r5-xccdf-manual.xml
@@ -11306,7 +11306,7 @@ If it does not, this is a finding. </check-content>
<Rule id="SV-65589r1_rule" severity="low"
weight="10.0">
<version>RHEL-06-000025</version>
<title>All device files must be monitored by the system Linux Security
Module.</title>
- <description><VulnDiscussion>If a device file carries the SELinux
type "unlabeled_t", then SELinux cannot properly restrict access to the device
file.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
+ <description><VulnDiscussion>If a device file carries the SELinux
type "device_t", then SELinux cannot properly restrict access to the device
file.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description>
<reference>
<dc:title>DPMS Target Red Hat 6</dc:title>
<dc:publisher>DISA FSO</dc:publisher>
@@ -11315,13 +11315,13 @@ If it does not, this is a finding. </check-content>
<dc:identifier>2367</dc:identifier>
</reference>
<ident
system="http://iase.disa.mil/cci">CCI-000366</ident>
- <fixtext fixref="F-56179r1_fix">Device files, which are used for
communication with important system resources, should be labeled with proper SELinux
types. If any device files carry the SELinux type "unlabeled_t", investigate the
cause and correct the file's context. </fixtext>
+ <fixtext fixref="F-56179r1_fix">Device files, which are used for
communication with important system resources, should be labeled with proper SELinux
types. If any device files carry the SELinux type "device_t", report the bug so
that policy can be corrected. Supply information about what the device is and what
programs use it. </fixtext>
<fix id="F-56179r1_fix"/>
<check system="C-53719r1_chk">
<check-content-ref name="M"
href="DPMS_XCCDF_Benchmark_RHEL_6_STIG.xml"/>
<check-content>To check for unlabeled device files, run the following command:
-# ls -RZ /dev | grep unlabeled_t
+# ls -RZ /dev | grep device_t
It should produce no output in a well-configured system.
--
2.4.3