Bug 2130182 - Login issues after anssi profile remediation with image-builder images
Summary: Login issues after anssi profile remediation with image-builder images
Keywords:
Status: MODIFIED
Alias: None
Deadline: 2023-08-14
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Vojtech Polasek
QA Contact: BaseOS QE Security Team
URL: https://github.com/ComplianceAsCode/c...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-27 12:34 UTC by Evgeny Kolesnikov
Modified: 2023-08-17 16:20 UTC (History)
7 users (show)

Fixed In Version: scap-security-guide-0.1.69-1.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-135017 0 None None None 2022-09-27 12:52:41 UTC

Description Evgeny Kolesnikov 2022-09-27 12:34:27 UTC
Description of problem:
I am unable to login to a system that has been built with image-builder and remediated using the anssi enhanced profile, the anssi high profile or the anssi intermediary profile - all three profiles produce the same selinux error.

Version-Release number of selected component (if applicable):
0.1.63

How reproducible:


Steps to Reproduce:
1. using osbuild-composer to build an image on-prem, create a blueprint with the following customizations:

[customizations.openscap]
profile_id = "bp28_enhanced"  # or bp28_high or bp28_intermediary
datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"

2. Once the image has been built, boot it up and attempt login

Actual results:
User is unable to log into the system

Expected results:
User is able to log into the system

Additional info:
The session starts and the user is logged out with the message: Cannot make/remove an entry for the specified session

Upstream issue: https://github.com/ComplianceAsCode/content/issues/9536

Comment 2 Evgeny Kolesnikov 2023-04-25 10:29:12 UTC
We modified the CaC content in a way that it won't try to
enable polyinstantiated directories. It requires
a certain state of selinux booleans and we can't change
these values in the IB pipeline.

https://github.com/ComplianceAsCode/content/pull/10117


Note You need to log in before you can comment on or make changes to this bug.