Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
This is seen on RHEL8.4 when installing with STIG profile, when the hardware has a USB keyboard and mouse.
When the First Boot wizard shows up after installation, the keyboard and mouse are not functional at all, due to usbguard (being installed by default with STIG profile) blocking the devices:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
1: allow id 1d6b:0002 serial "0000:02:00.0" name "xHCI Host Controller" hash "4+i1fOQzh6/CdbdfiwrmdTYf8TLnLkUDuN34mexLwrg=" parent-hash "tk91ejILTHC5XDTNeLGOAJfLza0VBAHXIC3JuPVFJxY=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0003 serial "0000:02:00.0" name "xHCI Host Controller" hash "kMlilF7kSjfNYbDD2q8M+cXj+w/HO2jzc9gj5SSFwR0=" parent-hash "tk91ejILTHC5XDTNeLGOAJfLza0VBAHXIC3JuPVFJxY=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: block id 0627:0001 serial "28754-0000:00:02.1:00.0-1" name "QEMU USB Tablet" hash "9f6ZIqpK5OG5DLoILMt3sFn/eW/uzyIHAwcP2g12A2A=" parent-hash "4+i1fOQzh6/CdbdfiwrmdTYf8TLnLkUDuN34mexLwrg=" via-port "1-1" with-interface 03:00:00 with-connect-type "unknown"
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Whitelisting of keyboard and mouse must be done by default, or else the system is not usable.
Servers only having USB devices are unusable.
Version-Release number of selected component (if applicable):
usbguard-1.0.0-2.el8.x86_64
How reproducible:
ALWAYS
Steps to Reproduce:
1. Install a libvirt QEMU/KVM with RHEL8.4 DVD and STIG profile
On a 20GB disk, specify the following sizes for the various required partitions:
- / 8GiB
- swap 2GiB
- /tmp, /var/tmp, /var/log, /var/log/audit 1GiB each
- /home 200MiB
- /var 4GiB
2. Boot the installed system
Actual results:
First boot wizard shows up and it's not possible to click on the items
Expected results:
Can click
Additional info:
With libvirt QEMU/KVM, a USB tablet is set up automatically, along with PS/2 keyboard and mouse.
For some reason, only the USB tablet is enabled during systemd-firstboot, that's why I can reproduce with a virtual machine.
It is expected and documented in the usbguard that the policy is empty at the beginning.
I would say that STIG profile should define some initial policy as it should basically implement the installation process which consists of the policy initialization.
Well even without STIG the issue will be present, assuming usbguard is enabled at installation time, so something has to be done.
The keyboard/mouse won't work.
In case we would like to have it enabled at install time as a part of some install group we may consider an RFE. But specifically this issue would be for SCAP and the respective profile.
I filed BZ #1970481 for the STIG profile part, but still I believe as soon as usbguard is installed (through specifying in the kickstart for example), the rule should be there.
In terms of a kickstart, there's the '%post' section which can be used exactly for this purpose (do some initialization). So if they customize the installation they should do it fully, not just half of it.
Yes sure, I'll create a KCS for this, but in the Interactive Installation case, you're dead ...
I'm more concerned about the interactive installation which would select usbguard installation.
Usbguard behaves as intended in this regard. The user should configure and create a policy first before turning on the usbguard daemon (which is turned off by default). If a usbguard daemon is turned on unconfigured then it correctly blocks all USB devices.
This issue has already been resolved elsewhere rhbz#1970481
Closing this issue as won't fix.