Bug 1941666

Summary: Relax rule on "SELINUXTYPE=XXX" setting
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.9CC: ggasparb, mhaicman, vpolasek, wsato
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-23 11:12:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2021-03-22 15:03:18 UTC 
Description of problem:

This is a continuation of BZ #1941661.
The rule "xccdf_org.ssgproject.content_rule_selinux_policytype" in scap-security-guide is too strict and also not correct on RHEL7:

linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 28   <ind:textfilecontent54_object id="obj_selinux_policy" version="1">
 29     <ind:filepath>/etc/selinux/config</ind:filepath>
 30     <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
 31     <ind:instance datatype="int">1</ind:instance>
 32   </ind:textfilecontent54_object>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This states that you can have spaces before and after "=" sign, which is not true because SELINUXTYPE is a shell script variable.

Additionally it expects no trailing space after the value, e.g. "SELINUXTYPE=targeted<space>" will fail, which is the case because /etc/selinux/config ships the file with a trailing space (see BZ #1941661).

Please fix the rule as it was done in Upstream:

linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 24   <ind:textfilecontent54_object id="obj_selinux_policy" version="1">
 25     <ind:filepath>/etc/selinux/config</ind:filepath>
 26     <ind:pattern operation="pattern match">^SELINUXTYPE=([\w]*)[\s]*$</ind:pattern>
 27     <ind:instance datatype="int">1</ind:instance>
 28   </ind:textfilecontent54_object>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

scap-security-guide-0.1.52-2.el7_9.noarch


How reproducible:

Always

Steps to Reproduce:
1. On a basic RHEL7 system, execute the rule

  # oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_selinux_policytype --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Actual results:

Result  fail

Expected results:

No failure, even with default /etc/selinux/config content

Additional info: