Bug 1570956 - Selecting "Standard System Security Profile" during install fails
Selecting "Standard System Security Profile" during install fails
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide (Show other bugs)
Unspecified Unspecified
medium Severity high
: rc
: ---
Assigned To: Watson Yuuma Sato
BaseOS QE Security Team
: Regression
: 1525251 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2018-04-23 16:19 EDT by Kyle Walker
Modified: 2018-08-01 19:28 EDT (History)
14 users (show)

See Also:
Fixed In Version: scap-security-guide-0.1.40-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3421631 None None None 2018-04-23 17:07 EDT

  None (edit)
Description Kyle Walker 2018-04-23 16:19:48 EDT
Description of problem:
  Selecting "Standard System Security Profile" during install fails with the following error:

    /dev/shm must be on a separate partition or logical volume

The Anaconda installer is calling the following when applying this profile within the "SECURITY POLICY" spoke:

    # oscap xccdf generate fix --template=urn:redhat:anaconda:pre --profile=xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Version-Release number of selected component (if applicable):
  7.5 Binary DVD Installation Media

How reproducible:

Steps to Reproduce:
1. Begin an installation using the 7.5 Binary DVD media
2. Leave all options to their default
3. Select the "SECURITY POLICY" menu option
4. Select "Standard System Security Profile" from the menu presented
5. Click the "Select profile" button

Actual results:
  The "Changes that were done or need to be done:" field returns

    /dev/shm must be on a separate partition or logical volume 

Expected results:
  No error returned. Especially not an error related to the /dev/shm interface. This is not a configured mount point, but is created/mounted by systemd internals.


Additional info:
  The exact error being returned by oscap, and is translated by the installer, is the following:

[anaconda root@unused /]# oscap xccdf generate fix --template=urn:redhat:anaconda:pre --profile=xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml                

part /dev/shm --mountoptions="nodev"

part /dev/shm --mountoptions="nosuid"
Comment 5 Watson Yuuma Sato 2018-04-24 07:23:18 EDT
Hello, thank you for the detailed report.

Indeed, SSG generates Anaconda remediations for mount_options rules regarding mount point /dev/shm. And as mentioned /dev/shm is mounted during boot, and it cannot be remediate during install time.

Fix is to stop generating Anaconda remediations for mount_options rules for mount points in /dev/shm.
Comment 7 Anssi Johansson 2018-05-02 21:12:23 EDT
As far as I can see, the "C2S for Red Hat Enterprise Linux 7" profile is also affected by this.
Comment 8 Chadd Toppings 2018-07-25 15:58:36 EDT

Are there any steps available as a workaround to apply security profiles when performing the initial RHEL 7.5 OS install?
Comment 9 Watson Yuuma Sato 2018-07-26 07:39:19 EDT
Hello Chadd,

It may not be easy workaround this.
One way I see is to make a customization that unselects the "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" and "nodev" rules, merge the customization into the datastream, and feed it through the network to oscap-anaconda-addon. More details here: https://bugzilla.redhat.com/show_bug.cgi?id=1479008#c7
Comment 10 Watson Yuuma Sato 2018-07-26 07:40:49 EDT
Last two commits of PR https://github.com/OpenSCAP/scap-security-guide/pull/3162 should fix this issue.
Comment 12 Watson Yuuma Sato 2018-08-01 08:34:55 EDT
*** Bug 1525251 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.