mount_option_nodev_nonroot_local_partitions: ignore vfat partitions

[vojtapolasek]

Description:

• Modify rule mount_option_nodev_nonroot_local_partitions to exclude vfat partitions from the nodev check and remediation. The vfat file system does not support Unix device special files, so enforcing nodev on vfat partitions is not meaningful.
• Align the OVAL check, Bash remediation, and Ansible remediation to consistently exclude /boot and /efi partitions in addition to the existing root partition exclusion.
• Add a warning block to rule.yml documenting which partitions are excluded and why.
• Add a new test scenario (vfat_without_nodev.pass.sh) that verifies a vfat partition without nodev is correctly ignored by the rule.

Rationale:

• vfat does not support Unix device special files, so the nodev mount option has no security benefit on vfat partitions. Flagging them as non-compliant produces false positives. The /boot and /efi exclusions were already partially implemented but were inconsistent across check and remediation types; this change aligns all three.

• fixes mount_option_nodev_nonroot_local_partitions makes UEFI systems unbootable #14117

Review Hints:

• Affected products: rhel8, rhel9, rhel10, sle12, sle15. Build with: ./build_product --datastream-only rhel9
• Test with:

  ./tests/automatus.py rule --libvirt qemu:///system rhel9 --datastream build/ssg-rhel9-ds.xml mount_option_nodev_nonroot_local_partitions
  

• Key files to review:
  • linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml — OVAL check updated to exclude vfat and /boot|/efi
  • linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh — Bash remediation updated with vfat exclusion and /boot|/efi skip
  • linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml — Ansible remediation updated with vfat in excluded fstypes and /boot|/efi filter
  • linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh — New test scenario
• All changes are in a single commit, so reviewing as one unit is straightforward. Pay particular attention to the regex changes in OVAL, Ansible, and Bash to verify they correctly match the intended partitions.

[Mab879]

/packit retest-failed
/retest

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions'.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -12,18 +12,6 @@
 
     any non-root local partitions.
 
-[warning]:
-This rule checks only local partitions, identified as those backed by
-a device node in /dev. Network file systems such as NFS, CIFS,
-GlusterFS and others are excluded because they do not expose local
-device nodes. The /boot and /efi partitions are
-excluded because they are special partitions usually handled by a
-systemd mount unit, and enforcing nodev on them during
-operating system installation causes issues. Partitions with the
-vfat file system type are excluded because vfat does not
-support Unix device special files, so nodev enforcement on
-them is not meaningful.
-
 [reference]:
 11
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -31,7 +31,6 @@
     lustre
     davfs
     fuse.sshfs
-    vfat
 )
 
 for partition_record in "${partitions_records[@]}"; do
@@ -39,11 +38,6 @@
     mount_point="$(echo "${partition_record}" | cut -d " " -f1)"
     device="$(echo "${partition_record}" | cut -d " " -f2)"
     device_type="$(echo "${partition_record}" | cut -d " " -f3)"
-
-    # Skip /boot and /efi partitions
-    if [[ "$mount_point" =~ ^/(boot|efi) ]]; then
-        continue
-    fi
 
     # Skip polyinstantiated directories
     if printf '%s\0' "${polyinstantiated_dirs[@]}" | grep -qxzF "$mount_point"; then
@@ -86,8 +80,8 @@
     fi
 done
 
-# Remediate unmounted /etc/fstab entries, excluding /boot, /efi, and vfat partitions
-sed -i -E '/nodev/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/(boot|efi)/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/\w\S*\s+vfat\s/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5; } }' /etc/fstab
+# Remediate unmounted /etc/fstab entries
+sed -i -E '/nodev/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5;' /etc/fstab
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -64,7 +64,6 @@
     - lustre
     - davfs
     - fuse.sshfs
-    - vfat
   when: ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
     and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
     and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
@@ -99,7 +98,6 @@
     and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
     ["docker", "lxc", "openvz", "podman", "container"] ) )
   - item.mount is match('/\w')
-  - item.mount is not match('/(boot|efi)')
   - item.options is not search('nodev')
   - item.fstype not in excluded_fstypes
   with_items:
@@ -124,7 +122,7 @@
     are present with nodev option in /etc/fstab'
   ansible.builtin.replace:
     path: /etc/fstab
-    regexp: ^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/(?!boot|efi)\w\S*)\s+(?!vfat\s)(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$
+    regexp: ^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$
     replace: \1 \2 \3 \4,nodev \5
   when: ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
     and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages

[vojtapolasek]

I think automatus test failures are expected, containers are not good at working with partitions.

[vojtapolasek]

/packit build

[vojtapolasek]

/retest