KiCs scanner VS Code integration with SE Linux results in the scan failing & SE Linux alert
KiCs scanner VS Code integration with SE Linux results in the scan failing & SE Linux alert which suggests a volume (different name each time) is mounted without the context flag (:z|:Z) and thus the scanner is unable to save the result.
The outputs suggests a volume (target object in SE Linux trouble shooting report is different name each time) is mounted without the context flag (:z|:Z) and thus the scanner is unable to save the result.
[INFO - 4:14:37 pm] Checkmarx plugin is running
[INFO - 4:14:37 pm] Initializing severity filters
[INFO - 4:14:37 pm] Git Extension - Add branch.
[INFO - 4:14:37 pm] GIT API - Open repository
[INFO - 4:14:38 pm] GIT API - Open repository
[INFO - 4:14:38 pm] Data refreshed and synced with AST platform
[INFO - 4:14:39 pm] Initializing state filters
[INFO - 4:14:39 pm] Initializing group by selections
[INFO - 4:14:39 pm] Filters initialized
[INFO - 4:36:18 pm] Opened a supported file by KICS. Starting KICS scan
[ERROR - 4:36:22 pm] Error: Check container engine state. Failed: exit status 126
[INFO - 4:38:10 pm] File saved updating KICS results
[ERROR - 4:38:14 pm] Error: Check container engine state. Failed: exit status 126
[INFO - 4:39:10 pm] File saved updating KICS results
[ERROR - 4:39:13 pm] Error: Check container engine state. Failed: exit status 126
SELinux is preventing kics from write access on the directory kics2005771008.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that kics should be allowed write access on the kics2005771008 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'kics' --raw | audit2allow -M my-kics
# semodule -X 300 -i my-kics.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c66,c81
Target Context unconfined_u:object_r:user_tmp_t:s0
Target Objects kics2005771008 [ dir ]
Source kics
Source Path kics
Port <Unknown>
Host XXXXX
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch
Local Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name XXXXXXX
Platform Linux XXXXX 6.0.12-300.fc37.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Dec 8 16:58:47 UTC 2022 x86_64
x86_64
Alert Count 1
First Seen 2022-12-21 18:23:57 AEDT
Last Seen 2022-12-21 18:23:57 AEDT
Local ID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Raw Audit Messages
type=AVC msg=audit(1671607437.973:2608): avc: denied { write } for pid=623252 comm="kics" name="kics2005771008" dev="tmpfs" ino=50785 scontext=system_u:system_r:container_t:s0:c66,c81 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
Hash: kics,container_t,user_tmp_t,dir,write