Bug 1852364
Summary: | xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled fails when a symlink or regular file is labeled with "device_t" [rhel-7.9.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Renaud Métrich <rmetrich> |
Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.8 | CC: | cbesson, ggasparb, jreznik, matyc, mhaicman, rmullett, vpolasek, wsato |
Target Milestone: | rc | Keywords: | AutoVerified, Triaged, ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | scap-security-guide-0.1.54-3.el7_9 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-04-27 11:30:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Renaud Métrich
2020-06-30 09:22:45 UTC
Additionally, there are some related warnings while using oscap, likely for the same reasons. ~~~ # oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig --results arf.xml --report /var/tmp/stig-report.html --rule xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok Title Ensure No Device Files are Unlabeled by SELinux Rule xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled Ident CCE-27326-8 E: probe_selinuxsecuritycontext: Can't get context for /dev/fd/3: No such file or directory E: probe_selinuxsecuritycontext: Can't get context for /dev/fd/3: No such file or directory Result pass ~~~ /dev/fd being a symlink to /proc/self/fd: ~~~ # ll -Zd /dev/fd lrwxrwxrwx. root root system_u:object_r:device_t:s0 /dev/fd -> /proc/self/fd ~~~ According to the strace, the fd 3 is closed by the PID 6455, which is a thread of 6451, which corresponds to the following binary: `/usr/libexec/openscap/probe_selinuxsecuritycontext`. ~~~ 6455 12:18:14.603506 lstat("/dev/fd/3", {st_dev=makedev(0, 3), st_ino=59893, st_mode=S_IFLNK|0500, st_nlink=1, st_uid=0, st_gid=0, st_blksize=1024, st_blocks=0, st_size=64, st_atime=1592993894 /* 2020-06-24T12:18:14.525163635+0200 */, st_atime_nsec=525163635, st_mtime=1592993894 /* 2020-06-24T12:18:14.524163614+0200 */, st_mtime_nsec=524163614, st_ctime=1592993894 /* 2020-06-24T12:18:14.524163614+0200 */, st_ctime_nsec=524163614}) = 0 <0.000011> [cut] 6455 12:18:14.604087 getdents(3</proc/6451/fd>, [], 32768) = 0 <0.000009> 6455 12:18:14.604120 close(3</proc/6451/fd>) = 0 <0.000009> [cut] 6455 12:18:14.604651 getxattr("/dev/fd/2", "security.selinux", "unconfined_u:object_r:user_devpts_t:s0", 255) = 39 <0.000013> 6455 12:18:14.604713 getxattr("/dev/fd/3", "security.selinux", 0x7f0da400ecf0, 255) = -1 ENOENT (No such file or directory) <0.000015> 6455 12:18:14.604769 flock(2</dev/pts/0<char 136:0>>, LOCK_EX) = 0 <0.000022> 6455 12:18:14.604833 write(2</dev/pts/0<char 136:0>>, "E: probe_selinuxsecuritycontext: ", 33) = 33 <0.000023> 6455 12:18:14.604887 write(2</dev/pts/0<char 136:0>>, "Can't get context for /dev/fd/3: No such file or directory", 58) = 58 <0.000011> ~~~ /dev/fd/3 was a symlink to /proc/self/fd, which is usually the case. And this file descriptor has been closed by oscap a few calls before. This fd has likely been created by something like readdir("/dev/fd"), and then all the results are iterated, including this closed fd. I won't open another BZ for that, since not following the symlinks would fix it. Fixed upstream: https://github.com/ComplianceAsCode/content/pull/5911 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1383 |