Signed-off-by: Jeffrey Blank <[email protected]>
---
.../checks/selinux_all_devicefiles_labeled.xml | 1 +
RHEL6/input/system/selinux.xml | 2 +-
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml
b/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml
index c1acd8c..affef3d 100644
--- a/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml
+++ b/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml
@@ -16,6 +16,7 @@
<linux:state state_ref="state_selinux_all_devicefiles_labeled" />
</linux:selinuxsecuritycontext_test>
<linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev"
id="object_selinux_all_devicefiles_labeled" version="1">
+ <linux:behaviors recurse_direction="down" />
<linux:path>/dev</linux:path>
<linux:filename operation="pattern match">^.*$</linux:filename>
<filter action="include">state_selinux_all_devicefiles_labeled</filter>
diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml
index 4ac37b3..543f3a9 100644
--- a/RHEL6/input/system/selinux.xml
+++ b/RHEL6/input/system/selinux.xml
@@ -236,7 +236,7 @@ files carry the SELinux type <tt>unlabeled_t</tt>,
investigate the cause and
correct the file's context.
</description>
<ocil clause="there is output">To check for unlabeled device files, run the
following command:
-<pre># ls -Z /dev | grep unlabeled_t</pre>
+<pre># ls -RZ /dev | grep unlabeled_t</pre>
It should produce no output in a well-configured system.</ocil>
<rationale>
If a device file carries the SELinux type <tt>unlabeled_t</tt>, then SELinux
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
