RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2172264 - tftp error when you add the "Network Servers" Software Group and select any CIS Security Profiles
Summary: tftp error when you add the "Network Servers" Software Group and select any C...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: oscap-anaconda-addon
Version: 9.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Matěj Týč
QA Contact: Release Test Team
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-21 19:05 UTC by ckrell
Modified: 2023-11-07 10:04 UTC (History)
8 users (show)

Fixed In Version: oscap-anaconda-addon-2.0.0-17.el9
Doc Type: Bug Fix
Doc Text:
.`oscap-anaconda-addon` can now harden Network Servers for CIS Previously, installing RHEL Network Servers with a CIS security profile (`cis`, `cis_server_l1`, `cis_workstation_l1`, or `cis_workstation_l2`) was not possible with the Network Servers package group selected. This problem is fixed by excluding the `tftp` package in `oscap-anaconda-addon-2.0.0-17.el9` provided with RHEL 9.3. As a consequence, you can install CIS-hardened RHEL Network Servers with the Network Servers package group.
Clone Of:
Environment:
Last Closed: 2023-11-07 08:36:28 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-149684 0 None None None 2023-02-22 15:23:44 UTC
Red Hat Issue Tracker RTT-5279 0 None None None 2023-05-02 10:45:57 UTC
Red Hat Issue Tracker RTT-5280 0 None None None 2023-05-02 10:46:01 UTC
Red Hat Knowledge Base (Solution) 6999291 0 None None None 2023-02-21 19:39:29 UTC
Red Hat Product Errata RHBA-2023:6531 0 None None None 2023-11-07 08:36:44 UTC

Description ckrell 2023-02-21 19:05:55 UTC 
Description of problem:
When installing RHEL 9.1 - if you select the package group "Network Servers" and select any of the "CIS" Security Profiles you see an error message "package 'tftp' has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the install"

Version-Release number of selected component (if applicable):
RHEL 9.1

How reproducible:
Everytime

Steps to Reproduce:
1. Start a RHEL 9.1 Anaconda GUI install
2. Select Minimal Base Environment from the Software Selection menu and then under "Additional software for Selected Environment" select "Network Servers" and "Done"
3. Go to Security Profile and select any of the "CIS Red Hat Enterprise Linux 9 Benchmark" and then scroll down to see the error message.

workaround:
4. Go back to Software Selection and uncheck the "Network Servers" additional software.  Then view the security profile to view that the tftp error message is gone.

Actual results:
"package 'tftp' has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the install"

Expected results:
"package 'tftp' has been added to the list of excluded packages"
Comment 1 Jan Stodola 2023-02-22 15:21:40 UTC 
This looks like a possible oscap-anaconda-addon issue, reassigning the bug.
Comment 2 Matěj Týč 2023-02-27 12:25:57 UTC 
This is a manifestation of a conflict between the software selection and a hardening profile, and the addon handles this one gracefully - it informs the user before the installation starts, so they can react to this situation before the installation is started.
I can imagine an even more graceful handling of the situation by e.g. filtering the list of software selections if the hardening profile is known, or by offering to proceed with the installation while prioritizing the hardening requirements, or something like that. However, I would see such requirements as RFEs - I think that the current behavior is not a result of a bug or defect that can be fixed in a straightforward way.
Comment 3 jcastran 2023-02-27 13:40:55 UTC 
There is something of a problem though. tftp is not part of the group and is not installed when you install the Network Server group. In fact nothing is installed, since all the packages are optional.

> This shows no group name, thus not a group member

[root@r9 ~]# repoquery --groupmember tftp
tftp-5.2-35.el9.x86_64
tftp-5.2-37.el9.x86_64

> All packages are optional and thus nothing is actually installed unless a specific option is used. Even with that option used tftp is not pulled in. 

[root@r9 ~]# yum groupinfo "Network Servers"
Updating Subscription Management repositories.
Last metadata expiration check: 0:00:54 ago on Mon 27 Feb 2023 09:39:52 AM EST.
Group: Network Servers
 Description: These packages include network-based servers such as DHCP, Kerberos and NIS.
 Optional Packages:
   dhcp-server
   dnsmasq
   freeradius
   frr
   idn2
   krb5-server
   libreswan
   radvd
   rsyslog-gnutls
   rsyslog-gssapi
   rsyslog-mysql
   rsyslog-pgsql
   rsyslog-relp
   syslinux
   tang


So the security profile excludes tftp, which is not about to be installed and is not a group member of anything selected.
Comment 4 Matěj Týč 2023-03-13 16:58:56 UTC 
I agree, the listing is not correct - the package is an optional part of the group on the latest RHEL8, and it is completely unrelated on RHEL9.
The installer therefore causes this false positive, that prevents users from installing the system in a straightforward way.
Comment 15 Jan Černý 2023-07-18 09:40:13 UTC 
A fix has been merged upstream by https://github.com/OpenSCAP/oscap-anaconda-addon/pull/248
Comment 16 Jan Stodola 2023-08-01 15:11:35 UTC 
The issue is fixed in oscap-anaconda-addon-2.0.0-17.el9.
The installer reports that "package 'tftp' has been added to the list of excluded packages" and it's possible to finish the installation. The tftp package doesn't get installed.

Marking as Verified:Tested

Jan Fiala, the doc text for this bug applies for RHEL-9.2 as a known issue, but since this will be fixed in RHEL-9.3, the doc text needs to be updated. Can you please take care of it?
Comment 22 Jan Stodola 2023-08-04 10:56:59 UTC 
Checked that oscap-anaconda-addon-2.0.0-17.el9 is in nightly compose RHEL-9.3.0-20230803.31
Automated tests completed without any regression.

Moving to VERIFIED
Comment 27 errata-xmlrpc 2023-11-07 08:36:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (oscap-anaconda-addon bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6531
Note You need to log in before you can comment on or make changes to this bug.