Bug 446446

Summary: sectool --level 3 doesn't finish
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: sectoolAssignee: Peter Vrabec <pvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dkopecek, jhrozek, msamia
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.7.4-2.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-29 02:41:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Grubb 2008-05-14 16:45:06 UTC 
Description of problem:
When running level 3 and higher tests, it never finishes. With --debug, you see
that its in home_files test and appears to finish testing root. Then getting the
next user, it outputs:

testing user "systderr from filesystem: find: '/libexec' : No such file or directory

stderr from filesystem: /usr/bin/stat: cannot stat '/tmp/sh-thd-1210787222' : No
such file or directory

There is no closing double-quote. Running strace shows its looping between
select and wait4.


Version-Release number of selected component (if applicable):
0.7.3-1.fc10

How reproducible:
every time

Steps to Reproduce:
1. sectool --level 3
Comment 1 Jakub Hrozek 2008-05-15 12:08:01 UTC 
Both home_files and running a level work for me fine.. Can you please re-run 
without the home_files test (sectool --level 3 --exclude home_files). Can you 
check that the test is still running after sectool "freezes"? (just ps aux | 
grep home_files.sh)
Comment 2 Steve Grubb 2008-05-15 15:03:44 UTC 
I upgraded some packages yesterday. Today its acting better. I no longer see the
bad user name.

When it "hangs" now, I ran ps and see that its executing sh
/usr/share/sectool/tests/filesystem

I see it looping over and over doing something with files. But the text on the
screen is half finished looking like it broke. Maybe it needs a fflush of stdout
to get the screen updated with what its really doing. Also maybe a warning about
this test taking a while to run is in order?

In the filesystem test, I see a message that says a file is world/group
writable. Its only group writable, not world writable. There is a big difference
security-wise between world and group writable. :) The message should reflect
what it really is.

The selinux test says its disabled or in the wrong mode. What's wrong about
permissive? I think the message should say what mode its in and not be vague
about it. Permissive is slightly better than disabled, but its not wrong. :)

It also still can't differentiate between symlinks and files when it reports
world writable in the alias test. Alias halt is a good example since poweroff is
a symlink.

I wanted to give you feedback on a level 5 run too, but its been running for 2-3
hours now in the filesystem test. I'll give more feedback when it finally
finishes. I have a feeling this should be a C program and not shell scripts. :)
Comment 3 Daniel Kopeček 2008-05-16 12:54:01 UTC 
(In reply to comment #2)
> I upgraded some packages yesterday. Today its acting better. I no longer see the
> bad user name.
> 
> When it "hangs" now, I ran ps and see that its executing sh
> /usr/share/sectool/tests/filesystem
> 
> I see it looping over and over doing something with files. But the text on the
> screen is half finished looking like it broke. Maybe it needs a fflush of stdout
> to get the screen updated with what its really doing. Also maybe a warning about
> this test taking a while to run is in order?
> 
> In the filesystem test, I see a message that says a file is world/group
> writable. Its only group writable, not world writable. There is a big difference
> security-wise between world and group writable. :) The message should reflect
> what it really is.

Could you please post the exact message? The world/group message should appear
only if the file is world/group writable AND world/group executable - and that
is IMHO ok, because a executable file shouldn't be writable for a group - unless
you trust everyone in the group :]. There is separate test for world-writable
files and dirs.

> The selinux test says its disabled or in the wrong mode. What's wrong about
> permissive? I think the message should say what mode its in and not be vague
> about it. Permissive is slightly better than disabled, but its not wrong. :)
> 
> It also still can't differentiate between symlinks and files when it reports
> world writable in the alias test. Alias halt is a good example since poweroff is
> a symlink.
> 
> I wanted to give you feedback on a level 5 run too, but its been running for 2-3
> hours now in the filesystem test. I'll give more feedback when it finally
> finishes. I have a feeling this should be a C program and not shell scripts. :)

Yes. I'm rewriting it to C now.
Comment 4 Michel Samia 2008-05-21 12:58:19 UTC 
ad aliases: it is now fixed in git
Comment 5 Fedora Update System 2008-05-22 12:59:41 UTC 
sectool-0.7.4-2.fc9 has been submitted as an update for Fedora 9
Comment 6 Fedora Update System 2008-05-29 02:41:57 UTC 
sectool-0.7.4-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.