content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Rule `account_password_selinux_faillock_dir` is failing in `anaconda-ostree` and `bootc-image-builder` tests

Open evgenyz opened this issue 7 months ago • 3 comments

Description of problem:

The rule is failing in Image Mode

SCAP Security Guide Version:

95222edc12b4689c6d72115ddc748281427e895e

Operating System Version:

RHEL10, RHEL9

Steps to Reproduce:

  1. Run productization test (e.g. /hardening/container/anaconda-ostree/stig/account_password_selinux_faillock_dir)

Actual Results:

Rule fails

Expected Results:

No failures

Additional Information/Debugging Steps:

results-arf.zip

evgenyz avatar Jun 09 '25 07:06 evgenyz

Here is my initial investigation:

The rule account_password_selinux_faillock_dir passed during the image build because there wasn't any faillock directory set in configuration files. Since the rule passed the remediation for this rule wasn't executed.

In the verification scan the rule account_password_selinux_faillock_dir failed because there was a faillock dir set in configuration files, it was set to /var/log/faillock/ and this directory had a wrong SELinux context.

The rule that is responsible for setting a failock dir in configuration files is a different rule: accounts_passwords_pam_faillock_dir. This rule failed during the image build and a remediation was executed. From the remediation report we can see that the remediation errorred out:

Image

I find these lines suspicious:

/tmp/oscap.1DpIoR/fix-XXMKfnLc: line 124: semanage: command not found
/tmp/oscap.1DpIoR/fix-XXMKfnLc: line 125: restorecon: command not found

I think if these 2 commands were present they would configure the SELinux contexts for /var/log/faillock and as a consequence the other rule account_password_selinux_faillock_dir would pass.

It's even more suspicions because the remediation installs the policycoreutils-python-utils which provides them.

jan-cerny avatar Jun 11 '25 07:06 jan-cerny

We have discovered that the reason why the remediation can't find the semanage command is that inside the remediation the PATH variable has value /usr/local/bin:/usr/bin which doesn't contain /usr/sbin which contains the semanage binary file.

jan-cerny avatar Jun 11 '25 08:06 jan-cerny

This issue is caused by a bug in OpenSCAP and has been reported in OpenSCAP in https://github.com/OpenSCAP/openscap/issues/2242.

jan-cerny avatar Jun 11 '25 11:06 jan-cerny

This issue has been fixed or worked around by https://github.com/ComplianceAsCode/content/pull/13645. As of 2025-07-14, the issue doesn't appear in daily productization. Also, I can't reproduce it locally using autocontest. I used current upstream master as of HEAD https://github.com/ComplianceAsCode/content/commit/f78aeca318c7ddfd3f941cec021b0b744b6cf7b3. In the HTML report the rule account_password_selinux_faillock_dir is passing both on RHEL 9 and 10.

jan-cerny avatar Jul 14 '25 14:07 jan-cerny