RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257932	RHEL-09-232260	SV-257932r925783_rule		Medium

Description
If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.

STIG	Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide	2023-12-01

Details

Check Text ( C-61673r925781_chk )
Verify that all system device files are correctly labeled to prevent unauthorized modification. List all device files on the system that are incorrectly labeled with the following commands: Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system. # find /dev -context :device_t: \( -type c -o -type b \) -printf "%p %Z\n" # find /dev -context :unlabeled_t: \( -type c -o -type b \) -printf "%p %Z\n" Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding. If there is output from either of these commands, other than already noted, this is a finding.

Check Text ( C-61673r925781_chk )

Verify that all system device files are correctly labeled to prevent unauthorized modification.

List all device files on the system that are incorrectly labeled with the following commands:

Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system.

# find /dev -context *:device_t:* $ -type c -o -type b $ -printf "%p %Z\n"

# find /dev -context *:unlabeled_t:* $ -type c -o -type b $ -printf "%p %Z\n"

Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding.

If there is output from either of these commands, other than already noted, this is a finding.

Fix Text (F-61597r925782_fix)
Restore the SELinux policy for the affected device file from the system policy database using the following command: $ sudo restorecon -v Substituting "" with the path to the affected device file (from the output of the previous commands). An example device file path would be "/dev/ttyUSB0". If the output of the above command does not indicate that the device was relabeled to a more specific SELinux type label, then the SELinux policy of the system must be updated with more specific policy for the device class specified. If a package was used to install support for a device class, that package could be reinstalled using the following command: $ sudo dnf reinstall If a package was not used to install the SELinux policy for a given device class, then it must be generated manually and provide specific type labels.

Fix Text (F-61597r925782_fix)

Restore the SELinux policy for the affected device file from the system policy database using the following command:

$ sudo restorecon -v

Substituting "" with the path to the affected device file (from the output of the previous commands). An example device file path would be "/dev/ttyUSB0". If the output of the above command does not indicate that the device was relabeled to a more specific SELinux type label, then the SELinux policy of the system must be updated with more specific policy for the device class specified. If a package was used to install support for a device class, that package could be reinstalled using the following command:

$ sudo dnf reinstall

If a package was not used to install the SELinux policy for a given device class, then it must be generated manually and provide specific type labels.