Navigate

Check: RHEL-06-000025

Red Hat Enterprise Linux 6 STIG: RHEL-06-000025 (in versions v2 r2 through v1 r14)

Title

All device files must be monitored by the system Linux Security Module. (Cat III impact)

Discussion

If a device file carries the SELinux type "unlabeled_t", then SELinux cannot properly restrict access to the device file.

Check Content

To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding.

Fix Text

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type "unlabeled_t", investigate the cause and correct the file's context.

Additional Identifiers

Rule ID: SV-217864r603264_rule

Vulnerability ID: V-217864

Group Title: SRG-OS-000324

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000366	The organization implements the security configuration settings.
CCI-002165	The information system enforces organization-defined discretionary access control policies over defined subjects and objects.
CCI-002235	The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-3 (4)	Discretionary Access Control
AC-6 (10)	Prohibit Non-Privileged Users From Executing Privileged Functions
CM-6	Configuration Settings