content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Rules about SELinux booleans are failing in `anaconda-ostree` and `bootc-image-builder` tests

Open evgenyz opened this issue 7 months ago • 1 comments

Description of problem:

Failing rules:

  • sebool_polyinstantiation_enabled
  • sebool_selinuxuser_execstack
  • sebool_selinuxuser_execmod

SCAP Security Guide Version:

95222edc12b4689c6d72115ddc748281427e895e

Operating System Version:

RHEL9, RHEL10

Steps to Reproduce:

  1. Run productization test (e.g. /hardening/container/anaconda-ostree/anssi_bp28_high/sebool_polyinstantiation_enabled)

Actual Results:

Rules are failing.

Expected Results:

No failures.

Additional Information/Debugging Steps:

evgenyz avatar Jun 09 '25 06:06 evgenyz

I haven't investigated this one, but I think it can be another bug caused by https://github.com/ComplianceAsCode/content/issues/13552 because the setsebool command is located in /usr/sbin which is affected by this openscap issue.

jan-cerny avatar Jun 16 '25 08:06 jan-cerny

This issue has been fixed or worked around by https://github.com/ComplianceAsCode/content/pull/13645. As of 2025-07-14, the issue doesn't appear in daily productization. Also, I can't reproduce it locally using autocontest. I used current upstream master as of HEAD f78aeca318c7ddfd3f941cec021b0b744b6cf7b3. In the HTML report, all 3 rules listed in the description are passing. They pass both on RHEL 9 and 10.

jan-cerny avatar Jul 14 '25 11:07 jan-cerny