#226 process58_object doesn't work

[Anonymous]

Hi,
My object looks like this-

<process58_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:org.owasp.oval:obj:1" version="0" comment="Object holds apache2 process info">
<command_line operation="pattern match">.*apache2 .*|.*httpd .*</command_line>
<pid datatype="int" operation="greater than">0</pid>
</process58_object>

While collection of this object is just fine on ovaldi v 5.10, it doesn't work since ovaldi v 5.10.1. I am getting error -

2012-08-05T18:37:00 : DEBUG : Collecting object id: oval:org.owasp.oval:obj:1
2012-08-05T18:37:00 : DEBUG : Error while collecting data for object: oval:org.owasp.oval:obj:1 context_new(unconfined
): Success
2012-08-05T18:37:00 : DEBUG : Collecting object id: oval:org.owasp.oval:obj:2

I am collecting data on Ubuntu 10.04.4 LTS.

Attached is the complete OVAL def. file.

I' can re-produce this on Ubuntu 11 and 12 server also.

Looking at SVN changes, I can see several process related features were added and I think it could be a bug in one of them.

Looking at the error context_new(unconfined) it seems culprit could be somewhere in selinux_domain_label (just a guess)

I will be happy to provide more information. Please contact me on gk@pivotalsecurity.com

Thanks,
Gaurav

[Anonymous]

[Anonymous]

Update:

The issue seems to be in RetrieveSelinuxDomainLabel function. If I comment below lines in src/probes/unix/Process58Probe.cpp

if (!RetrieveSelinuxDomainLabel(pid, &selinuxDomainLabel, &errMsg)) {
item->AppendMessage(new OvalMessage(errMsg, OvalEnum::LEVEL_ERROR));
item->SetStatus(OvalEnum::STATUS_ERROR);
}

Collection works just fine.

[Michael Chisholm]

The actual error comes from src\linux\SecurityContextGuard.h. In the ContextGuard ctor taking a security_context_t, if context_new() returns NULL, the error is thrown. I don't think context_new() should return NULL if it succeeds, but apparently errno is not set, so it gives the "Success" message.

The man page on my rhel5 system for context_new() doesn't make sense. It says on success, 0 is returned. It doesn't say which function this applies to, but all functions on that page either return pointers or void, and surely a NULL pointer can't possibly mean the functions succeeded!

I think context_new() actually allocates memory, which is why you need context_free() to free it, and is why the guard class exists in the first place. NULL is a standard return value for *alloc() functions which allocate memory, so the guard is written to treat NULL return value as an error.

So either I am misunderstanding this part of the selinux API and there is a bug in ovaldi, or an error really did occur, the man page really doesn't make sense, and context_new() is not properly setting errno on errors. The latter seems most likely to me, but if anyone has more info on this, I can incorporate changes into ovaldi.

[Anonymous]

Not sure if this is case, but this seems related - https://bugzilla.redhat.com/show_bug.cgi?id=576499

[Anonymous]

I asked this question on SeLinux mailing list and it is indeed a bug. According to Daniel J Walsh of RedHat, "It is a bug. NULL (0) actually would be the error code. Since context_new is
basically doing a malloc of a new structure."

[Michael Chisholm]

Closing as invalid, since the bug turns out to be in selinux. Ovaldi produces a funny error message ("Success"), but the important thing is that it detects the error and handles it. I'd rather not work around this selinux bug at this point. If fixing the funny error message turns out to be important, perhaps another tracker can be opened, which is aimed directly at changing the error message.