Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't hard require /var/lib/rpm #2151

Open
cgwalters opened this issue Aug 16, 2024 · 1 comment
Open

Don't hard require /var/lib/rpm #2151

cgwalters opened this issue Aug 16, 2024 · 1 comment

Comments

@cgwalters
Copy link

This code is suboptimal:

openscap/src/OVAL/probes/unix/linux/rpminfo_probe.c

Line 298 in ecf658f

* Fedora >=36 changed the default dbpath in librpm from /var/lib/rpm to /usr/lib/sysimage/rpm

As bootc images won't have that symlink by default because we want /var to start out empty as much as possible.

    * Therefore, when running openscap on a Fedora >=36 system scanning another systems (such as RHEL, SLES, Fedora<36)
   * openscap's librpm will try to read the rpm db from /usr/lib/sysimage/rpm which doesn't exist and therefore won't work.

In general this kind of "cross OS scanning" is going to get into tricky corner cases. It would seem to be more sustainable to simply fork /usr/bin/rpm in the target environment (as a container).

Alternatively, please at least check if /usr/lib/sysimage/rpm exists and set it as the dbpath first. Or, just try a query with the default config and accept that if it returns content.
@cgwalters
Copy link
Author

To be clear we can add that symlink into bootc images, and maybe we'll need to if we keep finding more issues like this...but again on the flip side you are hardcoding to read from a now deprecated path, which would make sense to stop doing.

jan-cerny added a commit to jan-cerny/openscap that referenced this issue Aug 22, 2024
@jan-cerny
Improve rpm database path in RPM probes
7175eb0 
The assumption that /var/lib/rpm is always a symlink to
/usr/lib/sysimage/rpm was wrong. In bootc images, it isn't
the case. As a result, all rules were evaluated as notapplicable
when scanning a bootc image or container.

We will fix it the following way: We will first try if the "new"
location /usr/lib/sysimage/rpm exists, and use it only if it exists.  If
it doesn't exist, we will fall back to the "old" location /var/lib/rpm.

Fixes: https://issues.redhat.com/browse/RHEL-55251
Fixes: OpenSCAP#2151
@jan-cerny jan-cerny mentioned this issue Aug 22, 2024
Merged
jan-cerny added a commit to jan-cerny/openscap that referenced this issue Aug 22, 2024
@jan-cerny
Improve rpm database path in RPM probes
04c731a 
The assumption that /var/lib/rpm is always a symlink to
/usr/lib/sysimage/rpm was wrong. In bootc images, it isn't
the case. As a result, all rules were evaluated as notapplicable
when scanning a bootc image or container.

We will fix it the following way: We will first try if the "new"
location /usr/lib/sysimage/rpm exists, and use it only if it exists.  If
it doesn't exist, we will fall back to the "old" location /var/lib/rpm.

Fixes: https://issues.redhat.com/browse/RHEL-55251
Fixes: OpenSCAP#2151
jan-cerny added a commit to jan-cerny/openscap that referenced this issue Sep 9, 2024
@jan-cerny
Improve rpm database path in RPM probes
5400167 
The assumption that /var/lib/rpm is always a symlink to
/usr/lib/sysimage/rpm was wrong. In bootc images, it isn't
the case. As a result, all rules were evaluated as notapplicable
when scanning a bootc image or container.

We will fix it the following way: We will first try if the "new"
location /usr/lib/sysimage/rpm exists, and use it only if it exists.  If
it doesn't exist, we will fall back to the "old" location /var/lib/rpm.

Fixes: https://issues.redhat.com/browse/RHEL-55251
Fixes: OpenSCAP#2151
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cgwalters