search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.31k stars 365 forks source link

oscap-vm does not work well with user session VMs #862

Closed dahaic closed 4 months ago

dahaic commented 6 years ago

When I try to use oscap-vm on user session virtual machine, I got into a problem. Without sudo, I get Operation not permitted on chroot command:

[dahaic@dhcp-24-168 lisa]$ oscap-vm image ../../.local/share/libvirt/images/REM_RHEL7.qcow2 oval eval Red_Hat_Enterprise_Linux_7.xml.3
Mounting guestfs image '../../.local/share/libvirt/images/REM_RHEL7.qcow2' to '/tmp/tmp.zGLbRCeDyj'...
FAIL: 296:chroot: 1, Operation not permitted
W: oscap: Can't receive message: 1, Operation not permitted.
E: oscap: Can't close sd: 10, No child processes.
E: oscap: Recv: retry limit (0) reached.
OpenSCAP Error: Unable to close probe sd [oval_probe_ext.c:424]
Unable to receive a message from probe [oval_probe_ext.c:579]
Failed to create a new agent session. [oval_session.c:322]
Unmounting '/tmp/tmp.zGLbRCeDyj'...

And with sudo, libvirt won't permit mounting:

[dahaic@dhcp-24-168 lisa]$ sudo oscap-vm image ../../.local/share/libvirt/images/REM_RHEL7.qcow2 oval eval Red_Hat_Enterprise_Linux_7.xml.3
Mounting guestfs image '../../.local/share/libvirt/images/REM_RHEL7.qcow2' to '/tmp/tmp.JANbVpofnN'...
libguestfs: error: could not create appliance through libvirt.

Try running qemu directly without libvirt using this environment variable:
export LIBGUESTFS_BACKEND=direct

Original error from libvirt: Cannot access backing file '/home/dahaic/.local/share/libvirt/images/REM_RHEL7.qcow2' of storage file '/tmp/libguestfsEtLiM5/overlay1' (as uid:107, gid:107): Permission denied [code=38 int1=13]
Failed to mount image '../../.local/share/libvirt/images/REM_RHEL7.qcow2' to '/tmp/tmp.JANbVpofnN'!
markperdue commented 6 years ago

Seeing the same issue when run in a privileged container as a normal user. When run with --user=root --privileged the scan completes without issue. Any updates or workarounds?

SunilAgrawal commented 5 years ago

@markperdue I am facing the same issue. Can you please give the exact command for the workaround? TIA.

abhinavkumar311997 commented 5 years ago

Try opening a sudo shell and type export LIBGUESTFS_BACKEND=direct then try running the command