All device files must be monitored by the system Linux Security Module.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| RHEL-06-000025 | RHEL-06-000025 | RHEL-06-000025_rule | Low |
| Description |
|---|
| If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2013-02-05 |
Details
| Check Text ( C-RHEL-06-000025_chk ) |
|---|
| If the system is a cross-domain system, this is not applicable. To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding. |
| Fix Text (F-RHEL-06-000025_fix) |
|---|
| Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context. |