RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1787156 - When using the "Protection Profile for General Purpose Operating Systems" profile, remove the "Server with GUI" option or add a warning that the install will fail
Summary: When using the "Protection Profile for General Purpose Operating Systems" pr...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: oscap-anaconda-addon
Version: 8.2
Hardware: All
OS: Linux
Target Milestone: rc
: 8.0
Assignee: Matěj Týč
QA Contact: Release Test Team
Jan Fiala
Depends On: 1839769
TreeView+ depends on / blocked
Reported: 2019-12-31 15:56 UTC by jcastran
Modified: 2023-12-15 17:08 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.OSPP-based profiles are incompatible with GUI package groups. `GNOME` packages installed by the _Server with GUI_ package group require the `nfs-utils` package that is not compliant with the Operating System Protection Profile (OSPP). As a consequence, selecting the _Server with GUI_ package group during the installation of a system with OSPP or OSPP-based profiles, for example, Security Technical Implementation Guide (STIG), OpenSCAP displays a warning that the selected package group is not compatible with the security policy. If the OSPP-based profile is applied after the installation, the system is not bootable. To work around this problem, do not install the _Server with GUI_ package group or any other groups that install GUI when using the OSPP profile and OSPP-based profiles. When you use the _Server_ or _Minimal Install_ package groups instead, the system installs without issues and works correctly.
Clone Of:
Last Closed: 2020-11-04 03:46:16 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4706581 0 None None None 2019-12-31 15:56:16 UTC

Description jcastran 2019-12-31 15:56:17 UTC
Description of problem:
The security profile "Protection Profile for General Purpose Operating Systems" excludes nfs-utils which prevents Server with GUI being installed. 

Version-Release number of selected component (if applicable):
RHEL 8.1

How reproducible:

Steps to Reproduce:
1. Apply "Protection Profile for General Purpose Operating Systems"
2. Select Server with GUI

Actual results:
Installation fails with:

 Problem: package libvirt-daemon-kvm-4.5.0-35.module+el8.1.0+4227+b2722cb3.x86_64 requires libvirt-daemon-driver-qemu = 4.5.0-35.module+el8.1.0+4227+b2722cb3, but none of the providers can be installed
  - package libvirt-daemon-driver-qemu-4.5.0-35.module+el8.1.0+4227+b2722cb3.x86_64 requires libvirt-daemon-driver-storage-core = 4.5.0-35.module+el8.1.0+4227+b2722cb3, but none of the providers can be installed
  - package gnome-boxes-3.28.5-7.el8.x86_64 requires libvirt-daemon-kvm, but none of the providers can be installed
  - package libvirt-daemon-driver-storage-core-4.5.0-35.module+el8.1.0+4227+b2722cb3.x86_64 requires nfs-utils, but none of the providers can be installed
  - conflicting requests
  - package nfs-utils-1:2.3.3-26.el8.x86_64 is excluded

Expected results:
Either a clear warning that the Server with GUI can not be installed
Or remove the option to select it all together

Additional info:

Comment 1 Jiri Konecny 2020-01-02 11:26:57 UTC
This seems like an OSCAP Anaconda addon option. Switching to OSCAP for further triage.

Comment 2 Marek Haicman 2020-01-03 11:24:40 UTC
We made preliminary analysis:
As OSCAP Anaconda Addon allows custom content to be used, there is no simple way of testing it before release, and ensuring there's no conflict. Let's assume the environments do not have conflicts within themselves, and that is tested before the release. That means if the conflict arise, it's most likely because of restrictions imposed by the selected Security policy. Therefore there are some approaches how to make this issue less painful for the users:

* Document somewhere within OAA, when packages are being removed, that there is a risk the installation will fail due to the conflict. We cannot specify which environments will fail, so the warning would have to be shown every time.
** There might be added an option to mark "risky" packages, or in reverse, mark packages that are not likely to cause conflicts, to make information more targeted
* Have environment restrictions part of the profile description (won't cover custom content)
* Look into the requirement, and challenge the need to force removal of nfs-utils

Comment 14 Matěj Týč 2020-06-18 15:15:08 UTC

Removed the Feature keyword, as this is not a feature, but rather a bugfix.

Comment 22 errata-xmlrpc 2020-11-04 03:46:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (oscap-anaconda-addon bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 24 Jan Fiala 2021-01-28 11:12:24 UTC
Hi Lucie, just confirmed with @matyc and the doc text is current. Nothing has changed since the doc text was published.

Note You need to log in before you can comment on or make changes to this bug.