Bug 1852367

Summary: xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled fails when a symlink or regular file is labeled with "device_t"
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: ggasparb, matyc, mhaicman, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.50-11.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:30:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2020-06-30 09:31:59 UTC 
This bug was initially created as a copy of Bug #1852364

I am copying this bug because: 

also applies to RHEL 8

Description of problem:

When a symlink or a regular file in /dev is labeled with "device_t" exists, the rule xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled fails.

The rule should only deal with special devices and skip the rest, but currently it deals with everything which is not a directory:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1">
    <linux:behaviors recurse_direction="down" />
    <linux:path>/dev</linux:path>
    <linux:filename operation="pattern match">^.*$</linux:filename>
    <filter action="include">state_selinux_all_devicefiles_labeled</filter>
  </linux:selinuxsecuritycontext_object>
  <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1">
    <linux:type datatype="string" operation="equals">device_t</linux:type>
  </linux:selinuxsecuritycontext_state>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

From the description and remediation, the rule should only deal with special devices:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
    To check for unlabeled device files, run the following command:
    <pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
    It should produce no output in a well-configured system.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This is an issue with Veritas software which creates symlink /dev/vx/rdmp to directory /dev/vx/dmp.


Version-Release number of selected component (if applicable):

All


How reproducible:

ALWAYS

Steps to Reproduce:
1. Create a symlink to a directory in /dev

  # ln -s /dev/virtio-ports /dev/foo
  # restorecon -F /dev/foo

  # ls -Z /dev/foo
  lrwxrwxrwx. root root system_u:object_r:device_t:s0    /dev/foo -> /dev/virtio-ports
  
2. Execute the rule

  # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Actual results:

fail

Expected results:

pass

Additional info:

The real use case is symlink /dev/vx/rdmp to directory /dev/vx/dmp.
Comment 1 Matěj Týč 2020-08-11 13:37:57 UTC 
Fixed upstream along with the RHEL7 BZ:

https://github.com/ComplianceAsCode/content/pull/5911
Comment 10 errata-xmlrpc 2020-11-04 02:30:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4626