All device files must be monitored by the system Linux Security Module.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-51379 | RHEL-06-000025 | SV-65589r1_rule | Low |
| Description |
|---|
| If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2015-05-26 |
Details
| Check Text ( C-53719r1_chk ) |
|---|
| To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding. |
| Fix Text (F-56179r1_fix) |
|---|
| Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context. |