Bug 1970384
Summary: | Cannot accept Licence due to USB keyboard and mouse being blocked | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> | ||||
Component: | usbguard | Assignee: | Zoltan Fridrich <zfridric> | ||||
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 8.4 | CC: | dapospis | ||||
Target Milestone: | rc | Keywords: | Triaged | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2021-09-03 08:50:12 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Renaud Métrich
2021-06-10 12:01:57 UTC
Created attachment 1789818 [details]
Wizard not clickable (pointer doesn't change into a "hand")
It is expected and documented in the usbguard that the policy is empty at the beginning. I would say that STIG profile should define some initial policy as it should basically implement the installation process which consists of the policy initialization. Well even without STIG the issue will be present, assuming usbguard is enabled at installation time, so something has to be done. The keyboard/mouse won't work. Hello, openscap content contains following rule that should allow the devices. https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml But somehow this rule is not part of the profile... In case we would like to have it enabled at install time as a part of some install group we may consider an RFE. But specifically this issue would be for SCAP and the respective profile. I filed BZ #1970481 for the STIG profile part, but still I believe as soon as usbguard is installed (through specifying in the kickstart for example), the rule should be there. In terms of a kickstart, there's the '%post' section which can be used exactly for this purpose (do some initialization). So if they customize the installation they should do it fully, not just half of it. Yes sure, I'll create a KCS for this, but in the Interactive Installation case, you're dead ... I'm more concerned about the interactive installation which would select usbguard installation. See also BZ #1972062 The usbguard service is disabled by default (systemd service) so unless it is explicitly enabled it should not block anything. *** Bug 1972062 has been marked as a duplicate of this bug. *** Usbguard behaves as intended in this regard. The user should configure and create a policy first before turning on the usbguard daemon (which is turned off by default). If a usbguard daemon is turned on unconfigured then it correctly blocks all USB devices. This issue has already been resolved elsewhere rhbz#1970481 Closing this issue as won't fix. |