RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1924058 - Applying org_fedora_oscap/xccdf_org.ssgproject.content_profile_ospp prevents from login into the system
Summary: Applying org_fedora_oscap/xccdf_org.ssgproject.content_profile_ospp prevents ...
Keywords:
Status: CLOSED DUPLICATE of bug 1674001
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: oscap-anaconda-addon
Version: 8.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Matěj Týč
QA Contact: Release Test Team
URL:
Whiteboard:
: 1947435 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-02 14:03 UTC by Renaud Métrich
Modified: 2024-03-25 18:05 UTC (History)
3 users (show)

Fixed In Version: oscap-anaconda-addon-1.2.0-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-04 15:52:13 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)

Description Renaud Métrich 2021-02-02 14:03:01 UTC 
Description of problem:

When applying the xccdf_org.ssgproject.content_profile_ospp profile during installation through using a kickstart, the user/admin cannot log in anymore after installation in case "tmux" package is not installed, as shown with the following kickstart excerpt below:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
%packages
@Base
kexec-tools
bash-completion
vim
%end

%addon org_fedora_oscap
    content-type = scap-security-guide
    profile = xccdf_org.ssgproject.content_profile_ospp
%end
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This ends up having 3 additional packages installed:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
openscap
openscap-scanner
scap-security-guide
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

But not "tmux" package which is required due to having the following code applied in /etc/bashrc:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
if [ "$PS1" ]; then
  parent=$(ps -o ppid= -p $$)
  name=$(ps -o comm= -p $parent)
  case "$name" in sshd|login) exec tmux ;; esac
fi
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Hence, either "tmux" should be automatically selected or the above code should be hardened in order to not blindly execute "tmux", even when it is not installed.


Version-Release number of selected component (if applicable):

anaconda-33.16.3.26-1.el8


How reproducible:

Always, see above.
Comment 1 Gabriel Gaspar Becker 2021-03-11 12:32:36 UTC 
This might be related to bz#1674001

The oscap-anaconda-addon does not provide all the functions when anaconda is run in text installation mode. So package selection is not processed and that might be the case here. Installations using graphical mode should install the package normally.

In this case, the workaround is to install RHEL without Security Profile and harden (scan and apply remediation) after the first boot.

I propose closing this one as a duplicate of bz#1674001
Comment 2 Matěj Týč 2021-03-12 13:29:39 UTC 
I would leave it open, as it has a separate customer case, and although we are quite sure that the root cause is the same, we haven't confirmed it.
Comment 3 Matěj Týč 2021-07-09 10:27:16 UTC 
*** Bug 1947435 has been marked as a duplicate of this bug. ***
Comment 4 Matěj Týč 2021-07-12 12:17:08 UTC 
This has been very likely fixed by rebase to the 1.2 version.
Comment 5 Matěj Týč 2021-08-04 15:52:13 UTC 

*** This bug has been marked as a duplicate of bug 1674001 ***
Note You need to log in before you can comment on or make changes to this bug.