Bug 2130182

Summary: Login issues after anssi profile remediation with image-builder images
Product: Red Hat Enterprise Linux 8 Reporter: Evgeny Kolesnikov <ekolesni>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: MODIFIED --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.7CC: ggasparb, jcerny, jjaburek, matyc, mhaicman, mlysonek, wsato
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/ComplianceAsCode/content/issues/9536
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-08-14   

Description Evgeny Kolesnikov 2022-09-27 12:34:27 UTC 
Description of problem:
I am unable to login to a system that has been built with image-builder and remediated using the anssi enhanced profile, the anssi high profile or the anssi intermediary profile - all three profiles produce the same selinux error.

Version-Release number of selected component (if applicable):
0.1.63

How reproducible:


Steps to Reproduce:
1. using osbuild-composer to build an image on-prem, create a blueprint with the following customizations:

[customizations.openscap]
profile_id = "bp28_enhanced"  # or bp28_high or bp28_intermediary
datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"

2. Once the image has been built, boot it up and attempt login

Actual results:
User is unable to log into the system

Expected results:
User is able to log into the system

Additional info:
The session starts and the user is logged out with the message: Cannot make/remove an entry for the specified session

Upstream issue: https://github.com/ComplianceAsCode/content/issues/9536
Comment 2 Evgeny Kolesnikov 2023-04-25 10:29:12 UTC 
We modified the CaC content in a way that it won't try to
enable polyinstantiated directories. It requires
a certain state of selinux booleans and we can't change
these values in the IB pipeline.

https://github.com/ComplianceAsCode/content/pull/10117