Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1719753

Summary: pkcs11-switch: add option to force execution of mod-util (no user interaction)
Product: Red Hat Enterprise Linux 7 Reporter: Gabriel Gaspar Becker <ggasparb>
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED WONTFIX QA Contact: PKI QE <bugzilla-pkiqe>
Severity: medium Docs Contact:
Priority: low    
Version: 7.7CC: ggasparb, mhaicman, openscap-maint
Target Milestone: rcKeywords: Triaged
Target Release: 7.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-10 13:53:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gabriel Gaspar Becker 2019-06-12 13:15:00 UTC 
Description of problem:
When running a fresh installation of RHEL7.7 (RHEL-7.7-20190606.n.0) and selecting OSPP profile in Security Policy section, the rule configure_opensc_nss_db fails to remediate and the rule state produced is "error".


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.43-12.el7.noarch.rpm

How reproducible:
100%

Steps to Reproduce:
1. Run fresh installation of RHEL7.7
2. Select OSPP profile in Security Policy section
3. Evaluate the HTML report and check that configure_opensc_nss_db rule has the status as "error"

Steps to Reproduce 2:
1. oscap xccdf eval --remediate --profile ospp --rule xccdf_org.ssgproject.content_rule_configure_opensc_nss_db /usr/share/xml/scap/ssg/ssg-rhel7-ds.xml

Actual results:
configure_opensc_nss_db errors

Expected results:
configure_opensc_nss_db passes

Additional info:
This is being caused due to some user interaction needed in the pkcs11-switch software used within the bash remediation. Recently the `modutil` utility which is executed by pkcs11-switch changed the behavior and asks the user to confirm the operation of changing the pkcs11 backend. This can be solved by simulating the pressing of the `enter` key, although it would be better if pkcs11-switch forces modutil to apply the configuration without user interaction (`modutil` --force).
Comment 3 Marek Haicman 2019-08-22 17:38:46 UTC 
Gabriel, from the bug report, I would assume that the issue is actually on the pkcs11-switch side. What are your expectations? Can you move it to the right component?
Comment 4 Gabriel Gaspar Becker 2019-08-23 13:33:31 UTC 
I'm changing component to opensc as pkcs11-switch is part of it.

As stated in comment3 this bug is about requesting that pkcs11-switch switch the behavior to force "modutil" to apply the settings, otherwise user interaction is needed it might block automation in other components, e.g scap-security-guide.


$rpm -qa opensc
opensc-0.19.0-3.el7.x86_64

------------------------------->8--------------------------------

$pkcs11-switch coolkey

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

------------------------------->8--------------------------------
Comment 5 Jakub Jelen 2019-08-27 13:45:56 UTC 
This does not look like a bug qualifying for RHEL 7.8 errata (not a critical security issue) so I do not think we will be able to change this now in opensc.

If it is easier to do the change in scap-security-guide, the script really consist of few calls to modutil, which can be used with the appropriate flags which you are interested in.
Comment 6 Gabriel Gaspar Becker 2019-08-29 07:59:23 UTC 
Ok, I understand your point. But do you consider a valid bug to be fixed in RHEL 7.9 or do you see it as most likely closed as won't fix?
Comment 7 Jakub Jelen 2019-08-29 08:56:24 UTC 
This will most probably end up as not being fixed in RHEL7, but I will try to squeeze it in in case we will do some errata.
Comment 8 Jakub Jelen 2020-01-10 13:53:28 UTC 
I think this initially worked fine unattended, but some change in nss probably requires interactivity now. There are no other bugs for OpenSC planed for RHEL 7.9 so lets close this. We do not have this problem in RHEL8.