File: shared.xml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (51 lines) | stat: -rw-r--r-- 3,117 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
<def-group>
  <definition class="compliance" id="selinux_all_devicefiles_labeled" version="1">
    {{{ oval_metadata("All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'.", rule_title=rule_title) }}}
    <criteria operator="AND">
      <criterion comment="device_t in /dev" test_ref="test_selinux_dev_device_t" />
      <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_dev_unlabeled_t" />
    </criteria>
  </definition>

  <!-- collect all special files from /dev directory -->
  <unix:file_object id="object_dev_device_files" comment="device files within /dev directory" version="1">
    <unix:behaviors recurse_direction="down" />
    <unix:path operation="equals">/dev</unix:path>
    <unix:filename operation="pattern match">^.*$</unix:filename>
    <filter action="include">state_block_or_char_device_file</filter>
  </unix:file_object>

  <unix:file_state id="state_block_or_char_device_file" version="1" comment="device files" >
    <unix:type operation="pattern match">^(block|character) special$</unix:type>
  </unix:file_state>

  <local_variable id="variable_dev_device_files" comment="all device files within /dev directory" datatype="string" version="1">
    <object_component object_ref="object_dev_device_files" item_field="filepath" />
  </local_variable>


  <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_dev_device_t" version="2">
    <linux:object object_ref="object_selinux_dev_device_t" />
    <linux:state state_ref="state_selinux_dev_device_t" />
  </linux:selinuxsecuritycontext_test>
  <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_dev_device_t" version="1">
    <linux:filepath operation="equals" var_ref="variable_dev_device_files"  var_check="at least one"/>
    <filter action="include">state_selinux_dev_device_t</filter>
  </linux:selinuxsecuritycontext_object>
  <linux:selinuxsecuritycontext_state comment="device_t label" id="state_selinux_dev_device_t" version="1">
    <linux:type datatype="string" operation="equals">device_t</linux:type>
  </linux:selinuxsecuritycontext_state>

  <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_dev_unlabeled_t" version="2">
    <linux:object object_ref="object_selinux_dev_unlabeled_t" />
    <linux:state state_ref="state_selinux_dev_unlabeled_t" />
  </linux:selinuxsecuritycontext_test>
  <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_dev_unlabeled_t" version="1">
    <linux:filepath operation="equals" var_ref="variable_dev_device_files"  var_check="at least one"/>
    <filter action="include">state_selinux_dev_unlabeled_t</filter>
  </linux:selinuxsecuritycontext_object>
  <linux:selinuxsecuritycontext_state comment="unlabeled_t label" id="state_selinux_dev_unlabeled_t" version="1">
    <linux:type datatype="string" operation="equals">unlabeled_t</linux:type>
  </linux:selinuxsecuritycontext_state>

</def-group>