Description of problem: When installing RHEL 9.1 - if you select the package group "Network Servers" and select any of the "CIS" Security Profiles you see an error message "package 'tftp' has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the install" Version-Release number of selected component (if applicable): RHEL 9.1 How reproducible: Everytime Steps to Reproduce: 1. Start a RHEL 9.1 Anaconda GUI install 2. Select Minimal Base Environment from the Software Selection menu and then under "Additional software for Selected Environment" select "Network Servers" and "Done" 3. Go to Security Profile and select any of the "CIS Red Hat Enterprise Linux 9 Benchmark" and then scroll down to see the error message. workaround: 4. Go back to Software Selection and uncheck the "Network Servers" additional software. Then view the security profile to view that the tftp error message is gone. Actual results: "package 'tftp' has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the install" Expected results: "package 'tftp' has been added to the list of excluded packages"
This looks like a possible oscap-anaconda-addon issue, reassigning the bug.
This is a manifestation of a conflict between the software selection and a hardening profile, and the addon handles this one gracefully - it informs the user before the installation starts, so they can react to this situation before the installation is started. I can imagine an even more graceful handling of the situation by e.g. filtering the list of software selections if the hardening profile is known, or by offering to proceed with the installation while prioritizing the hardening requirements, or something like that. However, I would see such requirements as RFEs - I think that the current behavior is not a result of a bug or defect that can be fixed in a straightforward way.
There is something of a problem though. tftp is not part of the group and is not installed when you install the Network Server group. In fact nothing is installed, since all the packages are optional. > This shows no group name, thus not a group member [root@r9 ~]# repoquery --groupmember tftp tftp-5.2-35.el9.x86_64 tftp-5.2-37.el9.x86_64 > All packages are optional and thus nothing is actually installed unless a specific option is used. Even with that option used tftp is not pulled in. [root@r9 ~]# yum groupinfo "Network Servers" Updating Subscription Management repositories. Last metadata expiration check: 0:00:54 ago on Mon 27 Feb 2023 09:39:52 AM EST. Group: Network Servers Description: These packages include network-based servers such as DHCP, Kerberos and NIS. Optional Packages: dhcp-server dnsmasq freeradius frr idn2 krb5-server libreswan radvd rsyslog-gnutls rsyslog-gssapi rsyslog-mysql rsyslog-pgsql rsyslog-relp syslinux tang So the security profile excludes tftp, which is not about to be installed and is not a group member of anything selected.
I agree, the listing is not correct - the package is an optional part of the group on the latest RHEL8, and it is completely unrelated on RHEL9. The installer therefore causes this false positive, that prevents users from installing the system in a straightforward way.
A fix has been merged upstream by https://github.com/OpenSCAP/oscap-anaconda-addon/pull/248
The issue is fixed in oscap-anaconda-addon-2.0.0-17.el9. The installer reports that "package 'tftp' has been added to the list of excluded packages" and it's possible to finish the installation. The tftp package doesn't get installed. Marking as Verified:Tested Jan Fiala, the doc text for this bug applies for RHEL-9.2 as a known issue, but since this will be fixed in RHEL-9.3, the doc text needs to be updated. Can you please take care of it?
Checked that oscap-anaconda-addon-2.0.0-17.el9 is in nightly compose RHEL-9.3.0-20230803.31 Automated tests completed without any regression. Moving to VERIFIED