>From 3eaaf96ad4fc3a626daec3768054feeb410f0767 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Fri, 29 Mar 2013 20:06:50 -0400 Subject: [PATCH 17/21] Renamed OVAL in selinux_unlabeled_device_files to match XCCDF rule name
--- .../checks/selinux_all_devicefiles_labeled.xml | 27 -------------------- .../checks/selinux_unlabeled_device_files.xml | 27 ++++++++++++++++++++ RHEL6/input/system/selinux.xml | 2 +- 3 files changed, 28 insertions(+), 28 deletions(-) delete mode 100644 RHEL6/input/checks/selinux_all_devicefiles_labeled.xml create mode 100644 RHEL6/input/checks/selinux_unlabeled_device_files.xml diff --git a/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml b/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml deleted file mode 100644 index affef3d..0000000 --- a/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml +++ /dev/null @@ -1,27 +0,0 @@ -<def-group> - <definition class="compliance" id="selinux_all_devicefiles_labeled" version="1"> - <metadata> - <title>Device Files Have Proper SELinux Context</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>All device files in /dev should be assigned an SELinux security context other than 'unlabeled_t'.</description> - </metadata> - <criteria> - <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" /> - </criteria> - </definition> - <linux:selinuxsecuritycontext_test check="none exist" check_existence="all_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="1"> - <linux:object object_ref="object_selinux_all_devicefiles_labeled" /> - <linux:state state_ref="state_selinux_all_devicefiles_labeled" /> - </linux:selinuxsecuritycontext_test> - <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1"> - <linux:behaviors recurse_direction="down" /> - <linux:path>/dev</linux:path> - <linux:filename operation="pattern match">^.*$</linux:filename> - <filter action="include">state_selinux_all_devicefiles_labeled</filter> - </linux:selinuxsecuritycontext_object> - <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1"> - <linux:type datatype="string" operation="equals">unlabeled_t</linux:type> - </linux:selinuxsecuritycontext_state> -</def-group> diff --git a/RHEL6/input/checks/selinux_unlabeled_device_files.xml b/RHEL6/input/checks/selinux_unlabeled_device_files.xml new file mode 100644 index 0000000..affef3d --- /dev/null +++ b/RHEL6/input/checks/selinux_unlabeled_device_files.xml @@ -0,0 +1,27 @@ +<def-group> + <definition class="compliance" id="selinux_all_devicefiles_labeled" version="1"> + <metadata> + <title>Device Files Have Proper SELinux Context</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>All device files in /dev should be assigned an SELinux security context other than 'unlabeled_t'.</description> + </metadata> + <criteria> + <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" /> + </criteria> + </definition> + <linux:selinuxsecuritycontext_test check="none exist" check_existence="all_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="1"> + <linux:object object_ref="object_selinux_all_devicefiles_labeled" /> + <linux:state state_ref="state_selinux_all_devicefiles_labeled" /> + </linux:selinuxsecuritycontext_test> + <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1"> + <linux:behaviors recurse_direction="down" /> + <linux:path>/dev</linux:path> + <linux:filename operation="pattern match">^.*$</linux:filename> + <filter action="include">state_selinux_all_devicefiles_labeled</filter> + </linux:selinuxsecuritycontext_object> + <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1"> + <linux:type datatype="string" operation="equals">unlabeled_t</linux:type> + </linux:selinuxsecuritycontext_state> +</def-group> diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index bd9177f..3415fb9 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -241,7 +241,7 @@ If a device file carries the SELinux type <tt>unlabeled_t</tt>, then SELinux cannot properly restrict access to the device file. </rationale> <ident cce="26774-0" /> -<oval id="selinux_all_devicefiles_labeled" /> +<oval id="selinux_unlabeled_device_files" /> <ref nist="AC-6,AU-9,CM-7" disa="22,32"/> <tested by="DS" on="20121024"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
