Bug 2075508

Summary: [RFE] Check CPE applicabilities during annaconda plugin run
Product: Red Hat Enterprise Linux 8 Reporter: Ales Musil <amusil>
Component: oscap-anaconda-addonAssignee: Matěj Týč <matyc>
Status: NEW --- QA Contact: Release Test Team <release-test-team>
Severity: low Docs Contact: Mirek Jahoda <mjahoda>
Priority: unspecified    
Version: 8.6CC: lmanasko, matyc, mhaicman, mjahoda, mperina, wsato
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.RHV hypervisor may not work correctly when hardening the system during installation When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise Linux 8 STIG profile, OSCAP Anaconda Add-on may harden the system as RHEL instead of RVH-H and remove essential packages for RHV-H. Consequently, the RHV hypervisor may not work. To work around the problem, install the RHV-H system without applying any profile hardening, and after the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV hypervisor works correctly.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ales Musil 2022-04-14 11:51:53 UTC 
Description of problem:
scap-security-guide has a check for ovirt-host or ovirt-engine package,
this prevents some packages, that RHV depends on, being removed. 
However this check does not seem to work in the plugin. In RHVH,
which is image distributed by RHV, the packages are still deleted
dispite ovirt-host being installed in that image.
Comment 9 Watson Yuuma Sato 2022-04-22 17:24:20 UTC 
@amusil Hi, could you clarify what are the packages that are being removed by the STIG profile?

I did a manual install using `RHVH-4.5-20220411.0-RHVH-x86_64-dvd1.iso` with data stream from 8.6 and a data stream with a possible fix, and the only difference I see is that the installation with the fix has krb5-workstation installed.
Both installs have tuned, gssproxy installed, and both installs miss x11 packages (xorg-x11-server-Xorg, xorg-x11-server-common, xorg-x11-server-utils).
Comment 10 Ales Musil 2022-04-25 05:10:06 UTC 
(In reply to Watson Yuuma Sato from comment #9)
> @amusil Hi, could you clarify what are the packages that are
> being removed by the STIG profile?
> 
> I did a manual install using `RHVH-4.5-20220411.0-RHVH-x86_64-dvd1.iso` with
> data stream from 8.6 and a data stream with a possible fix, and the only
> difference I see is that the installation with the fix has krb5-workstation
> installed.
> Both installs have tuned, gssproxy installed, and both installs miss x11
> packages (xorg-x11-server-Xorg, xorg-x11-server-common,
> xorg-x11-server-utils).

The krb5-workstation is the issue, because of the dependency chain it removes
ovirt-host in the end, which means whole installation of RHV.
Comment 11 Watson Yuuma Sato 2022-04-26 09:08:16 UTC 
We talked with Ales and just commenting for the record.

I did a few manual installs again using 'RHVH-4.5-20220411.0-RHVH-x86_64-dvd1.iso' and I cannot reproduce the issue any more.
Ales will do some more testing.