Getting errors running selinux_all_devicefiles_labeled check on RHEL6. I ran testcheck.py, and initially the check was barfing on all of the broken symlinks under /dev/.udev/**. I deleted all of the broken symlinks, but I'm still getting an error on one file (that does not exist)
<system_data> <lin-sys:selinuxsecuritycontext_item id="1255121" status="error"> <message level="error">Can't get context for /dev/fd/6: No such file or directory </message> lin-sys:filepath/dev/fd/6</lin-sys:filepath> lin-sys:path/dev/fd</lin-sys:path> lin-sys:filename6</lin-sys:filename> </lin-sys:selinuxsecuritycontext_item> </system_data>
Regarding the broken symlinks: should the check error out on them? Looking, the problem might occur around if ((ofts = oval_fts_open(path, filename, filepath, behaviors)) != NULL) { in OVAL/probes/unix/linux/selinuxsecuritycontext.c
Regarding the search for the stray file descriptor: the check still errors out when run properly via oscap, as well. Might this be some sort of race condition with the file descriptor being opened by the probe, and disappearing before the check can get to it? I've tried manually creating the symlink for /dev/fd/6 to test, but devfs unfortunately won't let me create it.
Thanks for any ideas,
Jeff
Apologies - SSG master/HEAD, openscap 0.9.3-1
Jeff
On Thu, Oct 24, 2013 at 1:47 PM, Jeff Bachtel < jbachtel@bericotechnologies.com> wrote:
Getting errors running selinux_all_devicefiles_labeled check on RHEL6. I ran testcheck.py, and initially the check was barfing on all of the broken symlinks under /dev/.udev/**. I deleted all of the broken symlinks, but I'm still getting an error on one file (that does not exist)
<system_data> <lin-sys:selinuxsecuritycontext_item id="1255121" status="error"> <message level="error">Can't get context for /dev/fd/6: Nosuch file or directory
</message> <lin-sys:filepath>/dev/fd/6</lin-sys:filepath> <lin-sys:path>/dev/fd</lin-sys:path> <lin-sys:filename>6</lin-sys:filename> </lin-sys:selinuxsecuritycontext_item> </system_data>
Regarding the broken symlinks: should the check error out on them? Looking, the problem might occur around if ((ofts = oval_fts_open(path, filename, filepath, behaviors)) != NULL) { in OVAL/probes/unix/linux/selinuxsecuritycontext.c
Regarding the search for the stray file descriptor: the check still errors out when run properly via oscap, as well. Might this be some sort of race condition with the file descriptor being opened by the probe, and disappearing before the check can get to it? I've tried manually creating the symlink for /dev/fd/6 to test, but devfs unfortunately won't let me create it.
Thanks for any ideas,
Jeff
On 10/24/13, 2:02 PM, Jeff Bachtel wrote:
Apologies - SSG master/HEAD, openscap 0.9.3-1
Jeff
On Thu, Oct 24, 2013 at 1:47 PM, Jeff Bachtel <jbachtel@bericotechnologies.com mailto:jbachtel@bericotechnologies.com> wrote:
Getting errors running selinux_all_devicefiles_labeled check on RHEL6. I ran testcheck.py, and initially the check was barfing on all of the broken symlinks under /dev/.udev/**. I deleted all of the broken symlinks, but I'm still getting an error on one file (that does not exist) <system_data> <lin-sys:selinuxsecuritycontext_item id="1255121" status="error"> <message level="error">Can't get context for /dev/fd/6: No such file or directory </message> <lin-sys:filepath>/dev/fd/6</lin-sys:filepath> <lin-sys:path>/dev/fd</lin-sys:path> <lin-sys:filename>6</lin-sys:filename> </lin-sys:selinuxsecuritycontext_item> </system_data> Regarding the broken symlinks: should the check error out on them? Looking, the problem might occur around if ((ofts = oval_fts_open(path, filename, filepath, behaviors)) != NULL) { in OVAL/probes/unix/linux/selinuxsecuritycontext.c Regarding the search for the stray file descriptor: the check still errors out when run properly via oscap, as well. Might this be some sort of race condition with the file descriptor being opened by the probe, and disappearing before the check can get to it? I've tried manually creating the symlink for /dev/fd/6 to test, but devfs unfortunately won't let me create it. Thanks for any ideas,
It's a known issue, ref https://fedorahosted.org/scap-security-guide/ticket/392
There's much debate about how SCAP (as a protocol) should handle /proc and /dev. We're waiting to see how things square out.
scap-security-guide@lists.fedorahosted.org
-
Jeff Bachtel -
Shawn Wells