1970384 – Cannot accept Licence due to USB keyboard and mouse being blocked

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1970384 - Cannot accept Licence due to USB keyboard and mouse being blocked

Summary: Cannot accept Licence due to USB keyboard and mouse being blocked

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	usbguard
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Zoltan Fridrich
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1972062 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-10 12:01 UTC by Renaud Métrich
Modified:	2021-09-03 08:50 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-09-03 08:50:12 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Wizard not clickable (pointer doesn't change into a "hand") (50.95 KB, image/png) 2021-06-10 12:03 UTC, Renaud Métrich	no flags	Details
View All

Description Renaud Métrich 2021-06-10 12:01:57 UTC

Description of problem:

This is seen on RHEL8.4 when installing with STIG profile, when the hardware has a USB keyboard and mouse.

When the First Boot wizard shows up after installation, the keyboard and mouse are not functional at all, due to usbguard (being installed by default with STIG profile) blocking the devices:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
1: allow id 1d6b:0002 serial "0000:02:00.0" name "xHCI Host Controller" hash "4+i1fOQzh6/CdbdfiwrmdTYf8TLnLkUDuN34mexLwrg=" parent-hash "tk91ejILTHC5XDTNeLGOAJfLza0VBAHXIC3JuPVFJxY=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0003 serial "0000:02:00.0" name "xHCI Host Controller" hash "kMlilF7kSjfNYbDD2q8M+cXj+w/HO2jzc9gj5SSFwR0=" parent-hash "tk91ejILTHC5XDTNeLGOAJfLza0VBAHXIC3JuPVFJxY=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: block id 0627:0001 serial "28754-0000:00:02.1:00.0-1" name "QEMU USB Tablet" hash "9f6ZIqpK5OG5DLoILMt3sFn/eW/uzyIHAwcP2g12A2A=" parent-hash "4+i1fOQzh6/CdbdfiwrmdTYf8TLnLkUDuN34mexLwrg=" via-port "1-1" with-interface 03:00:00 with-connect-type "unknown"
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Whitelisting of keyboard and mouse must be done by default, or else the system is not usable.

Servers only having USB devices are unusable.


Version-Release number of selected component (if applicable):

usbguard-1.0.0-2.el8.x86_64


How reproducible:

ALWAYS


Steps to Reproduce:

1. Install a libvirt QEMU/KVM with RHEL8.4 DVD and STIG profile

  On a 20GB disk, specify the following sizes for the various required partitions:
  - / 8GiB
  - swap 2GiB
  - /tmp, /var/tmp, /var/log, /var/log/audit 1GiB each
  - /home 200MiB
  - /var 4GiB

2. Boot the installed system

Actual results:

  First boot wizard shows up and it's not possible to click on the items

Expected results:

  Can click

Additional info:

With libvirt QEMU/KVM, a USB tablet is set up automatically, along with PS/2 keyboard and mouse.
For some reason, only the USB tablet is enabled during systemd-firstboot, that's why I can reproduce with a virtual machine.

Comment 1 Renaud Métrich 2021-06-10 12:03:54 UTC

Created attachment 1789818 [details]
Wizard not clickable (pointer doesn't change into a "hand")

Comment 2 Dalibor Pospíšil 2021-06-10 12:18:27 UTC

It is expected and documented in the usbguard that the policy is empty at the beginning.

I would say that STIG profile should define some initial policy as it should basically implement the installation process which consists of the policy initialization.

Comment 3 Renaud Métrich 2021-06-10 12:57:16 UTC

Well even without STIG the issue will be present, assuming usbguard is enabled at installation time, so something has to be done.
The keyboard/mouse won't work.

Comment 4 Radovan Sroka 2021-06-10 14:12:22 UTC

Hello, 

openscap content contains following rule that should allow the devices.

https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml

But somehow this rule is not part of the profile...

Comment 5 Dalibor Pospíšil 2021-06-10 14:15:05 UTC

In case we would like to have it enabled at install time as a part of some install group we may consider an RFE. But specifically this issue would be for SCAP and the respective profile.

Comment 6 Renaud Métrich 2021-06-10 14:32:45 UTC

I filed BZ #1970481 for the STIG profile part, but still I believe as soon as usbguard is installed (through specifying in the kickstart for example), the rule should be there.

Comment 7 Dalibor Pospíšil 2021-06-10 15:00:57 UTC

In terms of a kickstart, there's the '%post' section which can be used exactly for this purpose (do some initialization). So if they customize the installation they should do it fully, not just half of it.

Comment 8 Renaud Métrich 2021-06-10 15:13:17 UTC

Yes sure, I'll create a KCS for this, but in the Interactive Installation case, you're dead ...
I'm more concerned about the interactive installation which would select usbguard installation.

Comment 9 Renaud Métrich 2021-06-15 08:03:40 UTC

See also BZ #1972062

Comment 10 Dalibor Pospíšil 2021-07-13 10:43:55 UTC

The usbguard service is disabled by default (systemd service) so unless it is explicitly enabled it should not block anything.

Comment 11 Zoltan Fridrich 2021-09-03 08:38:46 UTC

*** Bug 1972062 has been marked as a duplicate of this bug. ***

Comment 12 Zoltan Fridrich 2021-09-03 08:50:12 UTC

Usbguard behaves as intended in this regard. The user should configure and create a policy first before turning on the usbguard daemon (which is turned off by default). If a usbguard daemon is turned on unconfigured then it correctly blocks all USB devices.

This issue has already been resolved elsewhere rhbz#1970481
Closing this issue as won't fix.

Note You need to log in before you can comment on or make changes to this bug.