Bug 1914226

Summary:	False positive selinux content_rule_selinux_policytype [rhel-7.9.z]
Product:	Red Hat Enterprise Linux 7	Reporter:	Mangirdas Judeikis <mjudeiki>
Component:	scap-security-guide	Assignee:	Vojtech Polasek <vpolasek>
Status:	CLOSED ERRATA	QA Contact:	Matus Marhefka <mmarhefk>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.9	CC:	ekolesni, ggasparb, jreznik, matyc, mhaicman, rmetrich, vpolasek, wsato
Target Milestone:	rc	Keywords:	AutoVerified, Triaged, ZStream
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	scap-security-guide-0.1.54-3.el7_9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-04-27 11:30:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Mangirdas Judeikis 2021-01-08 11:52:04 UTC

Description of problem:

With latest SCAP package we are getting false positive results for 
xccdf_org.ssgproject.content_rule_selinux_policytype



Version-Release number of selected component (if applicable):
[cloud-user@master-000001 ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.9 (Maipo)

Works:
[root@master-000000 ~]# rpm -qa | grep openscap
openscap-scanner-1.2.10-3.el7_3.x86_64
openscap-utils-1.2.10-3.el7_3.x86_64
openscap-1.2.10-3.el7_3.x86_64

Bad:
[root@master-000000 ~]# rpm -qa | grep openscap
openscap-containers-1.2.17-13.el7_9.noarch
openscap-scanner-1.2.17-13.el7_9.x86_64
openscap-utils-1.2.17-13.el7_9.x86_64
openscap-1.2.17-13.el7_9.x86_64


How reproducible:

Steps to Reproduce:
1. Run scap tests
2. Expect selinux policy to be in Targeted
3. Shows as fails
 

SELINUX on both boxes:
[cloud-user@master-000001 ~]$ cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 


Actual results:

Fails

Expected results:

Success


Additional info:

Will attach results as private attachments

Comment 6 Vojtech Polasek 2021-01-15 06:50:39 UTC

Fixed upstream in https://github.com/ComplianceAsCode/content/pull/6530

Comment 7 Vojtech Polasek 2021-03-24 10:41:43 UTC

*** Bug 1941666 has been marked as a duplicate of this bug. ***

Comment 19 errata-xmlrpc 2021-04-27 11:30:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1383