Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1209969

Summary: Drop OpenSCAP-selinux sub-package
Product: Red Hat Enterprise Linux 7 Reporter: Robin R. Price II <rprice>
Component: openscapAssignee: Šimon Lukašík <slukasik>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.1CC: ksrot, mgrepl, mhaicman, openscap-maint, plautrba, slukasik
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openscap-1.2.4-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1234336 (view as bug list) Environment:
Last Closed: 2015-11-19 12:09:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robin R. Price II 2015-04-08 14:30:18 UTC
Description of problem:

Following steps from: http://www.open-scap.org/page/Documentation#Scanning
"How to run vulnerability scan on Red Hat Enterprise Linux"

The error when running the scan:

OpenSCAP Error: Unable to close probe sd [oval_probe_ext.c:565]
Failed to create new OVAL agent session for: 'com.redhat.rhsa-all.xml'. [xccdf_session.c:759]


Version-Release number of selected component (if applicable):
RHEL 7.1 Workstation

$ rpm -qa | grep -i scap
openscap-selinux-1.1.1-3.el7.noarch
openscap-python-1.1.1-3.el7.x86_64
openscap-utils-1.1.1-3.el7.x86_64
openscap-scanner-1.1.1-3.el7.x86_64
scap-security-guide-0.1.19-2.el7.noarch
openscap-1.1.1-3.el7.x86_64
scap-workbench-1.0.2-2.el7.x86_64
openscap-extra-probes-1.1.1-3.el7.x86_64



How reproducible:
Always


Steps to Reproduce:
1. wget --quiet -c http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml
2. wget --quiet -c http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml 
3. oscap xccdf eval --results results.xml --report report.html com.redhat.rhsa-all.xccdf.xml

Actual results:

OpenSCAP Error: Unable to close probe sd [oval_probe_ext.c:565]
Failed to create new OVAL agent session for: 'com.redhat.rhsa-all.xml'. [xccdf_session.c:759]


Expected results:
report.html is created for review.

Comment 2 Robin R. Price II 2015-04-08 14:56:22 UTC
src/OVAL/oval_probe_ext.c

 555                         if (SEAP_close(ctx, pd->sd) != 0) {
 556                                 char errbuf[__ERRBUF_SIZE];
 557 
 558                                 protect_errno {
 559                                         oscap_dlprintf(DBG_E, "Can't close sd: %u, %s.\n", errno, strerror(errno));
 560                                         SEAP_msg_free(s_imsg);
 561                                         SEAP_msg_free(s_omsg);
 562                                 }
 563 
 564                                 if (strerror_r (errno, errbuf, sizeof errbuf - 1) != 0)
 565                                         oscap_seterr (OSCAP_EFAMILY_OVAL, "Unable to close probe sd");
 566                                 else
 567                                         oscap_seterr (OSCAP_EFAMILY_OVAL, errbuf);
 568 
 569                                 pd->sd = -1;
 570                                 return (-1);
 571                         }


src/XCCDF/xccdf_session.c

 758                 if (tmp_sess == NULL) {
 759                         oscap_seterr(OSCAP_EFAMILY_OSCAP, "Failed to create new OVAL agent session for: '%s'.", contents[idx]->href);
 760                         oval_definition_model_free(tmp_def_model);
 761                         return 2;
 762                 }

Comment 3 Šimon Lukašík 2015-04-10 13:37:13 UTC
This is due to bug in openscap-selinux package.

type=AVC msg=audit(1428672795.077:70): avc:  denied  { read } for  pid=12363 comm="oscap" name="com.redhat.rhsa-all.xccdf.xml" dev="dm-0" ino=135840547 scontext=unconfined_u:unconfined_r:oscap_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1428672795.077:70): avc:  denied  { open } for  pid=12363 comm="oscap" path="/root/com.redhat.rhsa-all.xccdf.xml" dev="dm-0" ino=135840547 scontext=unconfined_u:unconfined_r:oscap_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

As a workaround please remove openscap-selinux package.

Comment 4 Robin R. Price II 2015-04-10 13:55:55 UTC
I can confirm the AVC messages.

Putting SELinux into permissive resolves the issue.

~rp

Comment 5 Šimon Lukašík 2015-04-10 17:08:46 UTC
Yep, but don't turn selinux off in production. Just keep openscap-selinux out until rhel-7.2.

Thanks for report Robin.

Comment 6 Robin R. Price II 2015-04-10 18:03:58 UTC
Simon,

Not a problem.  I'll continue to monitor the bug.  Do you want me to work with the SELinux team around this or do we already have a pretty good idea where the issue is?  

I am having a hard time understanding the errors because your tcontext is admin_home_t while my tcontext are sandbox_file_t.

[...]
type=AVC msg=audit(1428353905.837:1073): avc:  denied  { getattr } for  pid=18930 comm="oscap" path="/home/rprice/summit2015/com.redhat.rhsa-all.xccdf.xml" dev="sda1" ino=13238727 scontext=unconfined_u:unconfined_r:oscap_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sandbox_file_t:s0:c481,c649 tclass=file
type=SYSCALL msg=audit(1428353905.837:1073): arch=c000003e syscall=4 success=yes exit=0 a0=7fffde118288 a1=7fffde1172d0 a2=7fffde1172d0 a3=7fffde117050 items=0 ppid=18923 pid=18930 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=29 comm="oscap" exe="/usr/bin/oscap" subj=unconfined_u:unconfined_r:oscap_t:s0-s0:c0.c1023 key=(null)
[...]


This this a bug in oscap.te policy when invoking transitions?

Comment 7 Šimon Lukašík 2015-04-10 18:21:50 UTC
This is bug in oscap.te. No need for official SELinux involvement. OpenSCAP and SELinux people hang out together. :)

Comment 11 Petr Lautrbach 2015-06-03 08:36:48 UTC
I think that we should not confine 'oscap' scanner at all. It can read and write files in lot of different places like /home, /tmp, /usr and it should be probably confined only by a context of process which runs it. At the same time, probes could be confined so that they couldn't write to arbitrary files for cases when the scanner runs a malicious content.

Mirek, what do you think about it?

Comment 12 Miroslav Grepl 2015-06-15 12:52:22 UTC
I agree.

Comment 13 Šimon Lukašík 2015-06-17 12:03:28 UTC
openscap.git a827637ecbb661d1767236b413c1678d13184df6

Comment 15 Šimon Lukašík 2015-07-06 13:05:19 UTC
*** Bug 1234336 has been marked as a duplicate of this bug. ***

Comment 16 Marek Haicman 2015-09-01 10:24:54 UTC
Verified, regression tests passed as well.

Comment 17 errata-xmlrpc 2015-11-19 12:09:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-2356.html