{"description": "Device files, which are used for communication with important system\nresources, should be labeled with proper SELinux types. If any device files\ncarry the SELinux type device_t or unlabeled_t, report the\nbug so that policy can be corrected. Supply information about what the\ndevice is and what programs use it.\n
\nTo check for incorrectly labeled device files, run following commands:\n$ sudo find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"
\n$ sudo find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"
\nIt should produce no output in a well-configured system.", "rationale": "If a device file carries the SELinux type device_t or\nunlabeled_t, then SELinux cannot properly restrict access to the\ndevice file.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "18", "2", "3", "5", "6", "7", "8", "9"], "cobit5": ["APO01.06", "APO11.04", "BAI01.06", "BAI03.05", "BAI06.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.03", "DSS03.05", "DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.02", "DSS06.06", "MEA02.01"], "cui": ["3.1.2", "3.1.5", "3.7.2"], "isa-62443-2009": ["4.3.3.3.9", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3", "4.3.4.4.7", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 2.8", "SR 2.9", "SR 5.2", "SR 6.2", "SR 7.6"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.12.1.2", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.5.1", "A.12.6.2", "A.12.7.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.14.2.7", "A.15.2.1", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-3(3)(a)", "AC-6"], "nist-csf": ["DE.CM-1", "DE.CM-7", "PR.AC-4", "PR.DS-5", "PR.IP-1", "PR.IP-3", "PR.PT-1", "PR.PT-3"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "there is output", "ocil": "To check for incorrectly labeled device files, run following commands:\n$ sudo find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"
\n$ sudo find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"
\nIt should produce no output in a well-configured system.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Automatic remediation of this control is not available. The remediation\ncan be achieved by amending SELinux policy."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.", "fixtext": "Restore the SELinux policy for the affected device file from the system policy database using the following command:\n\n$ sudo restorecon -v <device_path>\n\nSubstitute \"<device_path>\" with the path to the affected device file (from the output of the previous commands). An example device file path would be \"/dev/ttyUSB0\". If the output of the above command does not indicate that the device was relabeled to a more specific SELinux type label, then the SELinux policy of the system must be updated with more specific policy for the device class specified. If a package was used to install support for a device class, that package could be reinstalled using the following command:\n\n$ sudo dnf reinstall <package_name>\n\nIf a package was not used to install the SELinux policy for a given device class, then it must be generated manually and provide specific type labels.", "checktext": "Verify that all system device files are correctly labeled to prevent unauthorized modification.\n\nList all device files on the system that are incorrectly labeled with the following commands:\n\nNote: Device files are normally found under \"/dev\", but applications may place device files in other directories and may necessitate a search of the entire system.\n\n# find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\n# find /dev -context *:unlabeled_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"\n\nNote: There are device files, such as \"/dev/vmci\", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the \"device_t\" label to operate. These device files are not a finding.\n\nIf there is output from either of these commands, other than already noted, this is a finding.", "vuldiscussion": "If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure No Device Files are Unlabeled by SELinux", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml", "template": null}