I've been having the same issues with the selinux_all_devicefiles_labeled and we're running selinux under the mls policy. (Yes I've already refined the rule to look for mls). When you run the oscap command to generate the result and report add --oval-results and it should list a slew of files for which it cannot get the context. I haven't had the time to look into the results yet but if I figure anything out I'll let you know.
Hopefully that helps. Luke K ________________________________________ From: [email protected] [[email protected]] on behalf of Steve Thomas [[email protected]] Sent: Friday, April 04, 2014 5:24 AM To: [email protected] Subject: EXTERNAL: RHEL6 & STIG Hi All, I’m in the process of implementing a lockdown of RHEL6 based on the STIG found in your packages. I’m moving through each failure but I’d like to find out if there’s a way to see what checks are actually being performed for each RuleID so that I can perform them on the command line to understand what they are looking for. I’m also seeing 2 errors and I’d like to understand and fix those so turning on debug or verbose logging would really be useful to find out why both of these error: * mountopt_noexec_on_removeable_partitions * selinux_all_devicefiles_labeled Can anyone help? Thanks, Steve _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
