Bug 2075508

Summary: [RFE] Check CPE applicabilities during annaconda plugin run
Product: Red Hat Enterprise Linux 8 Reporter: Ales Musil <amusil>
Component: oscap-anaconda-addonAssignee: Matěj Týč <matyc>
Status: CLOSED MIGRATED QA Contact: Release Test Team <release-test-team-automation>
Severity: low Docs Contact: Mirek Jahoda <mjahoda>
Priority: unspecified    
Version: 8.6CC: matyc, mhaicman, mjahoda, mperina, wsato
Target Milestone: rcKeywords: FutureFeature, MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.RHV hypervisor may not work correctly when hardening the system during installation When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise Linux 8 STIG profile, OSCAP Anaconda Add-on may harden the system as RHEL instead of RVH-H and remove essential packages for RHV-H. Consequently, the RHV hypervisor may not work. To work around the problem, install the RHV-H system without applying any profile hardening, and after the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV hypervisor works correctly.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-30 16:56:43 UTC Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ales Musil 2022-04-14 11:51:53 UTC
Description of problem:
scap-security-guide has a check for ovirt-host or ovirt-engine package,
this prevents some packages, that RHV depends on, being removed. 
However this check does not seem to work in the plugin. In RHVH,
which is image distributed by RHV, the packages are still deleted
dispite ovirt-host being installed in that image.

Comment 9 Watson Yuuma Sato 2022-04-22 17:24:20 UTC
@amusil Hi, could you clarify what are the packages that are being removed by the STIG profile?

I did a manual install using `RHVH-4.5-20220411.0-RHVH-x86_64-dvd1.iso` with data stream from 8.6 and a data stream with a possible fix, and the only difference I see is that the installation with the fix has krb5-workstation installed.
Both installs have tuned, gssproxy installed, and both installs miss x11 packages (xorg-x11-server-Xorg, xorg-x11-server-common, xorg-x11-server-utils).

Comment 10 Ales Musil 2022-04-25 05:10:06 UTC
(In reply to Watson Yuuma Sato from comment #9)
> @amusil Hi, could you clarify what are the packages that are
> being removed by the STIG profile?
> 
> I did a manual install using `RHVH-4.5-20220411.0-RHVH-x86_64-dvd1.iso` with
> data stream from 8.6 and a data stream with a possible fix, and the only
> difference I see is that the installation with the fix has krb5-workstation
> installed.
> Both installs have tuned, gssproxy installed, and both installs miss x11
> packages (xorg-x11-server-Xorg, xorg-x11-server-common,
> xorg-x11-server-utils).

The krb5-workstation is the issue, because of the dependency chain it removes
ovirt-host in the end, which means whole installation of RHV.

Comment 11 Watson Yuuma Sato 2022-04-26 09:08:16 UTC
We talked with Ales and just commenting for the record.

I did a few manual installs again using 'RHVH-4.5-20220411.0-RHVH-x86_64-dvd1.iso' and I cannot reproduce the issue any more.
Ales will do some more testing.

Comment 23 RHEL Program Management 2023-08-30 15:37:35 UTC
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 24 RHEL Program Management 2023-08-30 16:56:43 UTC
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues.

Users watching this BZ may not be automatically added to the Jira ticket.  Be sure to add yourself to the Watchers field in the Jira issue if you desire to continue following this issue.