Bug 1344762

Summary: openscap rpmverifypackage probe might fail while scanning chrooted environment
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED CURRENTRELEASE QA Contact: Marek Haicman <mhaicman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: ajia, mhaicman, mpreisle, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openscap-1.2.10-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-17 10:01:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1278147    

Description Marek Haicman 2016-06-10 16:38:03 UTC 
Description of problem:
When rpmverifypackage probe is run, it partly uses libraries from the chrooted environment. Because of that, if libraries on the host and in chroot are of incompatible version, error may occur.


Version-Release number of selected component (if applicable):
openscap-1.2.9-5.el7.x86_64

How reproducible:
reliably

Steps to Reproduce:
1. use oscap-docker command on RHEL7.2 machine to scan fedora image with nss and nss-softokn version lower than 3.24

Actual results:
probe fails with "error: Failed to initialize NSS library"

Expected results:
rpmverifypackage works
Comment 1 Jan Černý 2016-06-22 15:17:58 UTC 
Fixed upstream in https://github.com/OpenSCAP/openscap/pull/440
Comment 2 Marek Haicman 2016-09-17 08:22:39 UTC 
Verified in version openscap-1.2.10-2.el7.x86_64, issue is fixed.

Old:
:: [ 02:34:01 ] ::   openscap-1.2.9-5.el7_2.x86_64
:: [  BEGIN   ] :: Running 'oscap-docker container f8b916e31a64312637592f81b6a8940726479cde162be14864c9c9b0d40fbe71 oval eval --id oval:my:def:5 --results /dev/stdout probe_test_rpm.oval.xml | grep '<lin-sys:name>coreutils</lin-sys:name>''
error: Failed to initialize NSS library
OpenSCAP Error: Unable to close probe sd [oval_probe_ext.c:424]
Unable to receive a message from probe [oval_probe_ext.c:579]
Invalid oval result type: -1. [oval_resultTest.c:179]
:: [   FAIL   ] :: Command 'oscap-docker container f8b916e31a64312637592f81b6a8940726479cde162be14864c9c9b0d40fbe71 oval eval --id oval:my:def:5 --results /dev/stdout probe_test_rpm.oval.xml | grep '<lin-sys:name>coreutils</lin-sys:name>'' (Expected 0, got 1)


New:
:: [ 02:21:40 ] ::   openscap-1.2.10-2.el7.x86_64
:: [  BEGIN   ] :: Running 'oscap-docker container 7d9735aa4d328e3130b79296a88fe4530319cfa69c68870b4c7651a44de04019 oval eval --id oval:my:def:5 --results /dev/stdout probe_test_rpm.oval.xml | grep '<lin-sys:name>coreutils</lin-sys:name>''
            <lin-sys:name>coreutils</lin-sys:name>
:: [   PASS   ] :: Command 'oscap-docker container 7d9735aa4d328e3130b79296a88fe4530319cfa69c68870b4c7651a44de04019 oval eval --id oval:my:def:5 --results /dev/stdout probe_test_rpm.oval.xml | grep '<lin-sys:name>coreutils</lin-sys:name>'' (Expected 0, got 0)
Comment 5 Marek Haicman 2017-05-17 10:01:08 UTC 
Version openscap-1.2.10-2.el7.x86_64 was part of RHEL 7.3.0 release