RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2129001 - content-type = scap-security-guide does not stop at partitioning step as content-type = rpm does
Summary: content-type = scap-security-guide does not stop at partitioning step as cont...
Keywords:
Status: CLOSED DUPLICATE of bug 1895138
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: oscap-anaconda-addon
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Matěj Týč
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-22 09:17 UTC by Jan Pazdziora
Modified: 2022-10-11 15:27 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-10-11 15:27:35 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-134669 0 None None None 2022-09-22 10:03:05 UTC

Description Jan Pazdziora 2022-09-22 09:17:10 UTC 
Description of problem:

When using the scap-security-guide-0.1.54-5.el8 and the ospp profile, there are rules that check existence of partitions. When those partitions are not defined in the kickstart, and the org_fedora_oscap addon is configured as

%addon org_fedora_oscap
  content-type = rpm
  content-url = "http://server/path/scap-security-guide-0.1.54-5.el8.noarch.rpm"
  content-path = usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  profile = ospp
%end

provisioning RHEL 8.4 stops with

Setting up org_fedora_oscap addon      
      
================================================================================       
================================================================================       

Question      
Wrong configuration detected!      
/var/log/audit must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/home must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/log must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
     
The installation should be aborted. Do you wish to continue anyway?
Please respond 'yes' or 'no': 

However, when using the scap-security-guide from the installation media (which is the same version) with

%addon org_fedora_oscap
  content-type = scap-security-guide
  profile = ospp
%end

the installation does not get blocked on these partitioning rules.

Version-Release number of selected component (if applicable):

I believe the RHEL 8.4 GA installation media has oscap-anaconda-addon-1.1.1-7.el8

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have a minimal RHEL 8.4 kickstart, test that it correctly provisions the system.
2. Add

%addon org_fedora_oscap
  content-type = rpm
  content-url = "http://server/path/scap-security-guide-0.1.54-5.el8.noarch.rpm"
  content-path = usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  profile = ospp
%end

to the kickstart, check that provisioning stops with

Wrong configuration detected!      
/var/log/audit must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/home must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/log must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
     
The installation should be aborted. Do you wish to continue anyway?
Please respond 'yes' or 'no': 

3. Use the same kickstart but add

%addon org_fedora_oscap
  content-type = scap-security-guide
  profile = ospp
%end

Actual results:

The system provisions, does not complain about the partitioning mismatch.

Some remediation from the profile got obviously applied because root logon via ssh is disabled.

Expected results:

The same as for the


%addon org_fedora_oscap
  content-type = rpm
  content-url = "http://server/path/scap-security-guide-0.1.54-5.el8.noarch.rpm"
  content-path = usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  profile = ospp
%end

case:

Wrong configuration detected!      
/var/log/audit must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/home must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/log must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
     
The installation should be aborted. Do you wish to continue anyway?
Please respond 'yes' or 'no': 

Additional info:
Comment 3 Matěj Týč 2022-10-11 15:27:35 UTC 
This particular problem got fixed in RHEL 8.5 probably by https://bugzilla.redhat.com/show_bug.cgi?id=1674001, but the fix introduced a regression that is reported as https://bugzilla.redhat.com/show_bug.cgi?id=2129008

*** This bug has been marked as a duplicate of bug 1895138 ***
Note You need to log in before you can comment on or make changes to this bug.