Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Created attachment 1774101[details]
run-lock-vdo status reported by scap
Description of problem:
When i run on RHEL7 as well as RHEL 8 the SCAP standard profile xccdf_org.ssgproject.content_profile_standard the it triggers the xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits on a directory /run/lock/vdo that is implicitly created during boot.
attached screenshot.
I verified also on RHEL8.3 and RHEL7.6 and there the /run/lock/vdo is also missing the sticky bit as recommended by SCAP
-------
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)
$ stat /run/lock/vdo
File: /run/lock/vdo
Size: 60 Blocks: 0 IO Block: 4096 directory
Device: 18h/24d Inode: 205356 Links: 2
Access: (0777/drwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:var_lock_t:s0
Access: 2021-04-15 12:59:11.315884394 +0000
Modify: 2021-03-25 01:38:13.605033991 +0000
Change: 2021-03-25 01:38:13.605033991 +0000
Birth: -
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)
$ stat /run/lock/vdo
File: ‘/run/lock/vdo’
Size: 60 Blocks: 0 IO Block: 4096 directory
Device: 14h/20d Inode: 225067 Links: 2
Access: (0777/drwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:var_lock_t:s0
Access: 2021-04-16 07:45:13.296935102 +0000
Modify: 2021-04-15 02:19:47.651891219 +0000
Change: 2021-04-15 02:19:47.651891219 +0000
Birth: -
Version-Release number of selected component (if applicable):
SCAP PROFILE - RHEL8.3
Header of the HTML output of the scap report:
------
Evaluation target li-lc-2624
Benchmark URL /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Benchmark ID xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version 0.1.50
Profile ID xccdf_org.ssgproject.content_profile_ospp
Started at 2021-04-12T16:57:29+00:00
Finished at 2021-04-12T16:57:30+00:00
Performed by vrempet-admin
Test system cpe:/a:redhat:openscap:1.3.3
------
Steps to Reproduce:
The file is created implicitly by the insights-client run every night:
-----------
$ ls -l /run/lock
total 0
-rw-r--r--. 1 root root 0 Apr 16 07:58 kdump
drwxrwxr-x. 2 root lock 40 Apr 16 07:58 lockdev
drwx------. 2 root root 40 Apr 16 07:59 lvm
drwxr-xr-x. 2 root root 120 Apr 16 07:58 subsys
$ ls -l /run/lock/vdo
ls: cannot access /run/lock/vdo: No such file or directory
$ sudo insights-client
Starting to collect Insights data for [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.hag.hilti.com
Uploading Insights data.
Successfully uploaded report from [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.hag.hilti.com to account 694947.
View details about this system on cloud.redhat.com:
https://cloud.redhat.com/insights/inventory/29fa76b0-48af-40fc-a23a-0ceb3e7524f5
$ ls -l /run/lock/vdo
total 0
-rw-r--r--. 1 root root 0 Apr 16 13:04 _etc_vdoconf.yml.lock
$ sudo grep vdo /var/log/insights-client/insights-client.log
2021-04-16 13:04:25,724 DEBUG insights.util.subproc Executing: [['timeout', '-s', '9', '120', '/usr/bin/vdo', 'status']]
2021-04-16 13:04:32,969 DEBUG insights.client.data_collector Processing /var/tmp/kRwG7w/insights-li-lc-2286.hag.hilti.com-20210416130407/data/insights_commands/vdo_status...
-------------
Reproducer with vdo status:
-------------
$ sudo rm -rf /run/lock/vdo
$ /usr/bin/vdo status
vdo: ERROR - Could not lock file /run/lock/vdo/_etc_vdoconf.yml.lock
$ sudo /usr/bin/vdo status
VDO status:
Date: '2021-04-16 13:06:27+00:00'
Node: li-lc-2286
Kernel module:
Loaded: false
Name: kvdo
Version information:
kvdo version: 6.1.1.125
Configuration:
File: does not exist
Last modified: not available
VDOs: {}
$ ls -l /run/lock/vdo
total 0
-rw-r--r--. 1 root root 0 Apr 16 13:06 _etc_vdoconf.yml.lock
$ ls -ld /run/lock/vdo
drwxr-xr-x. 2 root root 60 Apr 16 13:06 /run/lock/vdo
-------------
But when vdo status is run from insights-client from the systemd it is created with 777
-------------
$ sudo rm -rf /run/lock/vdo
$ sudo systemctl start insights-client
$ ls -ld /run/lock/vdo
ls: cannot access /run/lock/vdo: No such file or directory
$ sudo systemctl status insights-client
● insights-client.service - Insights Client
Loaded: loaded (/usr/lib/systemd/system/insights-client.service; static; vendor preset: disabled)
Active: inactive (dead) since Fri 2021-04-16 13:09:46 UTC; 16s ago
Docs: man:insights-client(8)
Process: 7002 ExecStartPost=/bin/bash -c if [ -d /sys/fs/cgroup/memory ]; then echo 1G > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.soft_limit_in_bytes; fi (code=exited, status=0/SUCCESS)
Process: 7001 ExecStartPost=/bin/bash -c if [ -d /sys/fs/cgroup/memory ]; then echo 2G > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.memsw.limit_in_bytes; fi (code=exited, status=0/SUCCESS)
Process: 7000 ExecStart=/usr/bin/insights-client --retry 3 (code=exited, status=0/SUCCESS)
Main PID: 7000 (code=exited, status=0/SUCCESS)
Apr 16 13:08:15 li-lc-2286 systemd[1]: Starting Insights Client...
Apr 16 13:08:15 li-lc-2286 systemd[1]: Started Insights Client.
Apr 16 13:08:25 li-lc-2286 insights-client[7000]: Starting to collect Insights data for [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.ha...lti.com
Apr 16 13:09:44 li-lc-2286 insights-client[7000]: Uploading Insights data.
Apr 16 13:09:45 li-lc-2286 insights-client[7000]: Successfully uploaded report from [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.hag.hi...694947.
Apr 16 13:09:46 li-lc-2286 insights-client[7000]: View details about this system on cloud.redhat.com:
Apr 16 13:09:46 li-lc-2286 insights-client[7000]: https://cloud.redhat.com/insights/inventory/29fa76b0-48af-40fc-a23a-0ceb3e7524f5
Hint: Some lines were ellipsized, use -l to show in full.
$ ls -ld /run/lock/vdo
drwxrwxrwx. 2 root root 60 Apr 16 13:08 /run/lock/vdo
-------------
Actual results:
That means it is a bug in the vdo package that it creates the directory world writable in the context of being from from systemd
Expected results:
It should create not create the world writable directory.
Additional info:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (kmod-kvdo bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:4359