On 10/24/13, 2:02 PM, Jeff Bachtel wrote:
Apologies - SSG master/HEAD, openscap 0.9.3-1
Jeff
On Thu, Oct 24, 2013 at 1:47 PM, Jeff Bachtel
<[email protected]
<mailto:[email protected]>> wrote:
Getting errors running selinux_all_devicefiles_labeled check on
RHEL6. I ran testcheck.py, and initially the check was barfing on
all of the broken symlinks under /dev/.udev/**. I deleted all of
the broken symlinks, but I'm still getting an error on one file
(that does not exist)
<system_data>
<lin-sys:selinuxsecuritycontext_item id="1255121"
status="error">
<message level="error">Can't get context for
/dev/fd/6: No such file or directory
</message>
<lin-sys:filepath>/dev/fd/6</lin-sys:filepath>
<lin-sys:path>/dev/fd</lin-sys:path>
<lin-sys:filename>6</lin-sys:filename>
</lin-sys:selinuxsecuritycontext_item>
</system_data>
Regarding the broken symlinks: should the check error out on them?
Looking, the problem might occur around
if ((ofts = oval_fts_open(path, filename,
filepath, behaviors)) != NULL) {
in OVAL/probes/unix/linux/selinuxsecuritycontext.c
Regarding the search for the stray file descriptor: the check
still errors out when run properly via oscap, as well. Might this
be some sort of race condition with the file descriptor being
opened by the probe, and disappearing before the check can get to
it? I've tried manually creating the symlink for /dev/fd/6 to
test, but devfs unfortunately won't let me create it.
Thanks for any ideas,
It's a known issue, ref
https://fedorahosted.org/scap-security-guide/ticket/392
There's much debate about how SCAP (as a protocol) should handle /proc
and /dev. We're waiting to see how things square out.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
