[Open-scap] Offline mode scanning

Richard W.M. Jones rjones at redhat.com
Thu May 16 13:02:59 UTC 2013 

On Thu, May 16, 2013 at 08:47:48AM -0400, Steve Grubb wrote:
> On Thursday, May 16, 2013 10:37:25 AM Richard W.M. Jones wrote:
> > On Mon, May 13, 2013 at 11:00:53AM -0400, Steve Grubb wrote:
> > > On Monday, May 13, 2013 04:34:20 PM Daniel Kopecek wrote:
> > > >   for some time now I've been working on a simple solution for scanning
> > > > 
> > > > images of virtual hosts with the OpenSCAP library.
> > > > We've been thinking about this for a time now, but the real work towards
> > > > a solution came after a discussion with
> > > > Richard W.M. Jones who came with two proposals. We've decided to try the
> > > > simple-but-not-so-robust one first -- just use
> > > > guestmount to mount the virtual host image somewhere and chroot() the
> > > > OpenSCAP probes there.
> > > 
> > > Hmm...what if dependent libraries are missing? For example, suppose
> > > you wanted to scan a rhel4 guest and librpm wasn't at the right
> > > version?
> > 
> > In practice I can tell you that this works OK :-)
> > 
> > There is also another issue which currently affects guestmount (only):
> > It doesn't pass through SELinux labels.  We will fix this upstream at
> > some point, but it requires us to rework the way we use FUSE.
> 
> SE Linux labels are just extended attributes. Is there a generic problem of 
> passing through xattrs which could affect other things like fs capabilities or 
> ACL's?

AIUI it's specific to SELinux and FUSE, and doesn't apply to (other)
extended attributes.

When a filesystem is mounted, SELinux makes filesystem requests
(ie. during the mount(2)) which traditional FUSE modules aren't
expecting to handle, resulting in a deadlock.  As a result you have to
rewrite your FUSE module to be multi-threaded (and this has larger
implications for the libguestfs FUSE module and is not quite as easy
to fix as it may seem).

If you use the libguestfs API directly then you can read and write
extended attributes and SELinux labels just fine.

The sordid details are here:

https://bugzilla.redhat.com/show_bug.cgi?id=811217
https://bugzilla.redhat.com/show_bug.cgi?id=812798#c42

and the libguestfs bug about this is:

https://bugzilla.redhat.com/show_bug.cgi?id=691389

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

More information about the Open-scap-list mailing list