Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make additional check if selinux is enabled and operational #11510

Conversation

teacup-on-rockingchair
Copy link
Contributor

Description:

  • Make sure oscap does not crash due to missing selinux in sysfs

Rationale:

  • In case selinux might be configured but not enabled, i.e. system not yet restarted, or there is dummy /selinux directory, the oscap tool fails like:
sles-15-sp5:/src/content/build # oscap xccdf eval \
> --profile anssi_bp28_intermediary \
> --rule xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled \
> --results /tmp/results.xml \
> ssg-sle15-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.15.xml' points out to the remote 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15.xml' file which is referenced from datastream
WARNING: Skipping ./pub-projects-security-oval-suse.linux.enterprise.15.xml file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Configure the polyinstantiation_enabled SELinux Boolean
Rule    xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled
Ident   CCE-91238-6
W: oscap:     Can't receive message: 125, Operation canceled.
E: oscap:     Recv: retry limit (0) reached.
Result  unknown

OpenSCAP Error: Probe at sd=1 (selinuxboolean) reported an error: Invalid type, value or format [/home/abuild/rpmbuild/BUILD/openscap-1.3.6/src/OVAL/oval_probe_ext.c:384]
Unable to receive a message from probe [/home/abuild/rpmbuild/BUILD/openscap-1.3.6/src/OVAL/oval_probe_ext.c:572]
Invalid oval result type: -1. [/home/abuild/rpmbuild/BUILD/openscap-1.3.6/src/OVAL/results/oval_resultTest.c:181]
sles-15-sp5:/src/content/build # ls -al /selinux/
total 0
drwxr-xr-x 1 root root   0 Mar 15  2022 .
drwxr-xr-x 1 root root 176 Jan 15 01:37 ..
  • To prevent the above added additional check that the selinux exists in sysfs, that has the following effect in same situation:
oscap xccdf eval \
--profile anssi_bp28_intermediary \
--rule xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled \
--results /tmp/results.xml \
/src/content/build/ssg-sle15-ds.xml

WARNING: Datastream component 'scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.15.xml' points out to the remote 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15.xml' file which is referenced from datastream
WARNING: Skipping ./pub-projects-security-oval-suse.linux.enterprise.15.xml file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Configure the polyinstantiation_enabled SELinux Boolean
Rule    xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled
Ident   CCE-91238-6
Result  notapplicable

Review Hints:

Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

codeclimate bot commented Jan 31, 2024

Code Climate has analyzed commit 853fd4e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.3% (0.0% change).

View more on Code Climate.

@jan-cerny
Copy link
Collaborator

/packit retest-failed

@jan-cerny jan-cerny self-assigned this Jan 31, 2024
@jan-cerny jan-cerny added this to the 0.1.73 milestone Jan 31, 2024
@jan-cerny jan-cerny added the CPE-AL CPE Applicability Language label Jan 31, 2024
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have executed Automatus tests for a random sebool rule sebool_mpd_enable_homedirs and I have examined the contents of the ARF results from the scans. The rule is applicable and the file /sys/fs/selinux has been collected.

@jan-cerny jan-cerny merged commit de41892 into ComplianceAsCode:master Jan 31, 2024
40 checks passed
@Mab879 Mab879 added the OVAL OVAL update. Related to the systems assessments. label May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CPE-AL CPE Applicability Language OVAL OVAL update. Related to the systems assessments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants