Bug 1852364
| Summary: | xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled fails when a symlink or regular file is labeled with "device_t" [rhel-7.9.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.8 | CC: | cbesson, ggasparb, jreznik, matyc, mhaicman, rmullett, vpolasek, wsato |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.54-3.el7_9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-04-27 11:30:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Additionally, there are some related warnings while using oscap, likely for the same reasons. ~~~ # oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig --results arf.xml --report /var/tmp/stig-report.html --rule xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok Title Ensure No Device Files are Unlabeled by SELinux Rule xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled Ident CCE-27326-8 E: probe_selinuxsecuritycontext: Can't get context for /dev/fd/3: No such file or directory E: probe_selinuxsecuritycontext: Can't get context for /dev/fd/3: No such file or directory Result pass ~~~ /dev/fd being a symlink to /proc/self/fd: ~~~ # ll -Zd /dev/fd lrwxrwxrwx. root root system_u:object_r:device_t:s0 /dev/fd -> /proc/self/fd ~~~ According to the strace, the fd 3 is closed by the PID 6455, which is a thread of 6451, which corresponds to the following binary: `/usr/libexec/openscap/probe_selinuxsecuritycontext`. ~~~ 6455 12:18:14.603506 lstat("/dev/fd/3", {st_dev=makedev(0, 3), st_ino=59893, st_mode=S_IFLNK|0500, st_nlink=1, st_uid=0, st_gid=0, st_blksize=1024, st_blocks=0, st_size=64, st_atime=1592993894 /* 2020-06-24T12:18:14.525163635+0200 */, st_atime_nsec=525163635, st_mtime=1592993894 /* 2020-06-24T12:18:14.524163614+0200 */, st_mtime_nsec=524163614, st_ctime=1592993894 /* 2020-06-24T12:18:14.524163614+0200 */, st_ctime_nsec=524163614}) = 0 <0.000011> [cut] 6455 12:18:14.604087 getdents(3</proc/6451/fd>, [], 32768) = 0 <0.000009> 6455 12:18:14.604120 close(3</proc/6451/fd>) = 0 <0.000009> [cut] 6455 12:18:14.604651 getxattr("/dev/fd/2", "security.selinux", "unconfined_u:object_r:user_devpts_t:s0", 255) = 39 <0.000013> 6455 12:18:14.604713 getxattr("/dev/fd/3", "security.selinux", 0x7f0da400ecf0, 255) = -1 ENOENT (No such file or directory) <0.000015> 6455 12:18:14.604769 flock(2</dev/pts/0<char 136:0>>, LOCK_EX) = 0 <0.000022> 6455 12:18:14.604833 write(2</dev/pts/0<char 136:0>>, "E: probe_selinuxsecuritycontext: ", 33) = 33 <0.000023> 6455 12:18:14.604887 write(2</dev/pts/0<char 136:0>>, "Can't get context for /dev/fd/3: No such file or directory", 58) = 58 <0.000011> ~~~ /dev/fd/3 was a symlink to /proc/self/fd, which is usually the case. And this file descriptor has been closed by oscap a few calls before. This fd has likely been created by something like readdir("/dev/fd"), and then all the results are iterated, including this closed fd. I won't open another BZ for that, since not following the symlinks would fix it. Fixed upstream: https://github.com/ComplianceAsCode/content/pull/5911 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1383 |
Description of problem: When a symlink or a regular file in /dev is labeled with "device_t" exists, the rule xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled fails. The rule should only deal with special devices and skip the rest, but currently it deals with everything which is not a directory: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1"> <linux:behaviors recurse_direction="down" /> <linux:path>/dev</linux:path> <linux:filename operation="pattern match">^.*$</linux:filename> <filter action="include">state_selinux_all_devicefiles_labeled</filter> </linux:selinuxsecuritycontext_object> <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1"> <linux:type datatype="string" operation="equals">device_t</linux:type> </linux:selinuxsecuritycontext_state> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- From the description and remediation, the rule should only deal with special devices: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- To check for unlabeled device files, run the following command: <pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre> It should produce no output in a well-configured system. -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This is an issue with Veritas software which creates symlink /dev/vx/rdmp to directory /dev/vx/dmp. Version-Release number of selected component (if applicable): All How reproducible: ALWAYS Steps to Reproduce: 1. Create a symlink to a directory in /dev # ln -s /dev/virtio-ports /dev/foo # restorecon -F /dev/foo # ls -Z /dev/foo lrwxrwxrwx. root root system_u:object_r:device_t:s0 /dev/foo -> /dev/virtio-ports 2. Execute the rule # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Actual results: fail Expected results: pass Additional info: The real use case is symlink /dev/vx/rdmp to directory /dev/vx/dmp.