search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 697 forks source link

RHEL8 STIG with GUI installation - package conflicts #6899

Closed mildas closed 3 years ago

mildas commented 3 years ago

Description of problem:

I'm not able to install RHEL 8.4 with Server with GUI package selection and with the STIG security policy - "DISA STIG with GUI for Red Hat Enterprise Linux 8".

I have built rhel8 datastream and inserted it to the installation via network (Security Policy -> Change content)

SCAP Security Guide Version:

c43f689153c

Operating System Version:

RHEL 8.4

Steps to Reproduce:

  1. Start rhel8.4 installation
  2. Prepare partitions for STIG
  3. Security Policy -> Change content, and put the link with rhel8 datastream to fetch

Actual Results:

Not possible to begin the installation because of software selection error: Error checking software selection

Expected Results:

Successful installation

Additional Information/Debugging Steps:

Most of the conflicts are about xorg-x11-* even though it is being unselected in the stig_gui.profile. However, gssproxy package conflict seems valid to me because the profile contains the package_gssproxy_removed rule.

Software selection details:

 Problem 1: package xorg-x11-xinit-1.3.4-18.el8.x86_64 requires xhost, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 2: package gnome-session-wayland-session-3.28.1-10.el8.x86_64 requires xorg-x11-server-Xwayland(x86-64), but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xwayland-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 3: package xorg-x11-drv-wacom-0.38.0-1.el8.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-wacom-0.38.0-1.el8.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-wacom-0.38.0-1.el8.x86_64 requires xserver-abi(xinput-24) >= 1, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 4: package xorg-x11-drv-vmware-13.2.1-8.el8.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-vmware-13.2.1-8.el8.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-vmware-13.2.1-8.el8.x86_64 requires xserver-abi(videodrv-24) >= 0, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 5: package xorg-x11-drv-vesa-2.4.0-3.el8.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-vesa-2.4.0-3.el8.x86_64 requires xorg-x11-server-wrapper, but none of the providers can be installed
  - package xorg-x11-drv-vesa-2.4.0-3.el8.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-vesa-2.4.0-3.el8.x86_64 requires xserver-abi(videodrv-24) >= 0, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 6: package xorg-x11-drv-qxl-0.1.5-11.el8.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-qxl-0.1.5-11.el8.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-qxl-0.1.5-11.el8.x86_64 requires xserver-abi(videodrv-24) >= 0, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 7: package xorg-x11-drv-nouveau-1:1.0.15-4.el8.1.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-nouveau-1:1.0.15-4.el8.1.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-nouveau-1:1.0.15-4.el8.1.x86_64 requires xserver-abi(videodrv-24) >= 0, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 8: package xorg-x11-drv-libinput-0.29.0-1.el8.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-libinput-0.29.0-1.el8.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-libinput-0.29.0-1.el8.x86_64 requires xserver-abi(xinput-24) >= 1, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 9: package xorg-x11-drv-fbdev-0.5.0-2.el8.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-fbdev-0.5.0-2.el8.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-fbdev-0.5.0-2.el8.x86_64 requires xserver-abi(videodrv-24) >= 0, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 10: package xorg-x11-drv-evdev-2.10.6-2.el8.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-evdev-2.10.6-2.el8.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-evdev-2.10.6-2.el8.x86_64 requires xserver-abi(xinput-24) >= 1, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 11: package xorg-x11-drv-ati-19.1.0-1.el8.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-ati-19.1.0-1.el8.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-ati-19.1.0-1.el8.x86_64 requires xserver-abi(videodrv-24) >= 0, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 12: package initial-setup-gui-0.3.81.7-1.el8.x86_64 requires xorg-x11-server-Xorg, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 13: package gnome-initial-setup-3.28.0-9.el8.x86_64 requires gdm, but none of the providers can be installed
  - package gdm-1:3.28.3-39.el8.i686 requires xorg-x11-server-utils, but none of the providers can be installed
  - package gdm-1:3.28.3-39.el8.x86_64 requires xorg-x11-server-utils, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 14: package gnome-shell-3.32.2-29.el8.x86_64 requires gdm-libs(x86-64), but none of the providers can be installed
  - package gdm-1:3.28.3-39.el8.x86_64 requires xorg-x11-server-utils, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 15: package ibus-1.5.19-12.el8.x86_64 requires xorg-x11-xinit, but none of the providers can be installed
  - package ibus-libpinyin-1.10.0-2.el8.x86_64 requires ibus >= 1.5.11, but none of the providers can be installed
  - package xorg-x11-xinit-1.3.4-18.el8.x86_64 requires xhost, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 16: package ibus-1.5.19-12.el8.x86_64 requires xorg-x11-xinit, but none of the providers can be installed
  - package ibus-kkc-1.5.22-9.el8.x86_64 requires ibus, but none of the providers can be installed
  - package xorg-x11-xinit-1.3.4-18.el8.x86_64 requires xhost, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 17: package ibus-1.5.19-12.el8.x86_64 requires xorg-x11-xinit, but none of the providers can be installed
  - package ibus-hangul-1.5.1-6.el8.x86_64 requires ibus >= 1.3.99, but none of the providers can be installed
  - package xorg-x11-xinit-1.3.4-18.el8.x86_64 requires xhost, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 18: package ibus-1.5.19-12.el8.x86_64 requires xorg-x11-xinit, but none of the providers can be installed
  - package ibus-libzhuyin-1.8.93-1.el8.x86_64 requires ibus >= 1.3.0, but none of the providers can be installed
  - package xorg-x11-xinit-1.3.4-18.el8.x86_64 requires xhost, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 19: package ibus-1.5.19-12.el8.x86_64 requires xorg-x11-xinit, but none of the providers can be installed
  - package ibus-m17n-1.3.4-26.el8.x86_64 requires ibus >= 1.4.0, but none of the providers can be installed
  - package xorg-x11-xinit-1.3.4-18.el8.x86_64 requires xhost, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 20: package ibus-1.5.19-12.el8.x86_64 requires xorg-x11-xinit, but none of the providers can be installed
  - package ibus-typing-booster-2.1.0-5.el8.noarch requires ibus >= 1.5.3, but none of the providers can be installed
  - package xorg-x11-xinit-1.3.4-18.el8.x86_64 requires xhost, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 21: package gnome-shell-3.32.2-29.el8.x86_64 requires gdm-libs(x86-64), but none of the providers can be installed
  - package chrome-gnome-shell-10.1-7.el8.x86_64 requires gnome-shell, but none of the providers can be installed
  - package gdm-1:3.28.3-39.el8.x86_64 requires xorg-x11-server-utils, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 22: conflicting requests
  - package gdm-1:3.28.3-39.el8.i686 requires xorg-x11-server-utils, but none of the providers can be installed
  - package gdm-1:3.28.3-39.el8.x86_64 requires xorg-x11-server-utils, but none of the providers can be installed
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 23: conflicting requests
  - package xorg-x11-drv-intel-2.99.917-39.20200205.el8.i686 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-intel-2.99.917-39.20200205.el8.i686 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-intel-2.99.917-39.20200205.el8.i686 requires xserver-abi(videodrv-24) >= 1, but none of the providers can be installed
  - package xorg-x11-drv-intel-2.99.917-39.20200205.el8.x86_64 requires Xorg, but none of the providers can be installed
  - package xorg-x11-drv-intel-2.99.917-39.20200205.el8.x86_64 requires xserver-abi(ansic-0) >= 4, but none of the providers can be installed
  - package xorg-x11-drv-intel-2.99.917-39.20200205.el8.x86_64 requires xserver-abi(videodrv-24) >= 1, but none of the providers can be installed
  - package xorg-x11-server-Xorg-1.20.10-1.el8.x86_64 is filtered out by exclude filtering
 Problem 24: package gnome-shell-extension-common-3.32.1-14.el8.noarch requires gnome-shell >= 3.32.1, but none of the providers can be installed
  - package gnome-shell-extension-apps-menu-3.32.1-14.el8.noarch requires gnome-shell-extension-common = 3.32.1-14.el8, but none of the providers can be installed
  - package gnome-shell-3.32.2-29.el8.x86_64 requires gdm-libs(x86-64), but none of the providers can be installed
  - package gnome-classic-session-3.32.1-14.el8.noarch requires gnome-shell-extension-apps-menu = 3.32.1-14.el8, but none of the providers can be installed
  - package gdm-1:3.28.3-39.el8.x86_64 requires xorg-x11-server-utils, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 25: package libvirt-daemon-driver-storage-6.0.0-34.module+el8.4.0+9758+5c420eed.x86_64 requires libvirt-daemon-driver-storage-core = 6.0.0-34.module+el8.4.0+9758+5c420eed, but none of the providers can be installed
  - package libvirt-daemon-kvm-6.0.0-34.module+el8.4.0+9758+5c420eed.x86_64 requires libvirt-daemon-driver-storage = 6.0.0-34.module+el8.4.0+9758+5c420eed, but none of the providers can be installed
  - package libvirt-daemon-driver-storage-core-6.0.0-34.module+el8.4.0+9758+5c420eed.x86_64 requires nfs-utils, but none of the providers can be installed
  - package gnome-boxes-3.36.5-8.el8.x86_64 requires libvirt-daemon-kvm, but none of the providers can be installed
  - package nfs-utils-1:2.3.3-41.el8.x86_64 requires gssproxy >= 0.7.0-3, but none of the providers can be installed
  - conflicting requests
  - package gssproxy-0.8.0-19.el8.x86_64 is filtered out by exclude filtering
 Problem 26: package libspectre-0.2.8-5.el8.x86_64 requires libgs.so.9()(64bit), but none of the providers can be installed
  - package libgs-9.27-1.el8.x86_64 requires urw-base35-fonts, but none of the providers can be installed
  - package evince-libs-3.28.4-9.el8.x86_64 requires libspectre.so.1()(64bit), but none of the providers can be installed
  - package urw-base35-fonts-20170801-10.el8.noarch requires urw-base35-z003-fonts, but none of the providers can be installed
  - package evince-3.28.4-9.el8.x86_64 requires libevdocument3.so.4()(64bit), but none of the providers can be installed
  - package evince-3.28.4-9.el8.x86_64 requires libevview3.so.3()(64bit), but none of the providers can be installed
  - package evince-3.28.4-9.el8.x86_64 requires evince-libs(x86-64) = 3.28.4-9.el8, but none of the providers can be installed
  - package urw-base35-z003-fonts-20170801-10.el8.noarch requires xorg-x11-server-utils, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 27: package ghostscript-9.27-1.el8.x86_64 requires libgs.so.9()(64bit), but none of the providers can be installed
  - package ghostscript-9.27-1.el8.x86_64 requires libgs(x86-64) = 9.27-1.el8, but none of the providers can be installed
  - package libgs-9.27-1.el8.x86_64 requires urw-base35-fonts, but none of the providers can be installed
  - package cups-filters-1.20.0-24.el8.x86_64 requires ghostscript(x86-64) >= 9.27-1, but none of the providers can be installed
  - package urw-base35-fonts-20170801-10.el8.noarch requires urw-base35-z003-fonts, but none of the providers can be installed
  - package cups-1:2.2.6-38.el8.x86_64 requires cups-filters, but none of the providers can be installed
  - package urw-base35-z003-fonts-20170801-10.el8.noarch requires xorg-x11-server-utils, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 28: package libspectre-0.2.8-5.el8.x86_64 requires libgs.so.9()(64bit), but none of the providers can be installed
  - package libgs-9.27-1.el8.x86_64 requires urw-base35-fonts, but none of the providers can be installed
  - package evince-libs-3.28.4-9.el8.x86_64 requires libspectre.so.1()(64bit), but none of the providers can be installed
  - package urw-base35-fonts-20170801-10.el8.noarch requires urw-base35-z003-fonts, but none of the providers can be installed
  - package sushi-3.28.3-1.el8.x86_64 requires libevdocument3.so.4()(64bit), but none of the providers can be installed
  - package sushi-3.28.3-1.el8.x86_64 requires libevview3.so.3()(64bit), but none of the providers can be installed
  - package urw-base35-z003-fonts-20170801-10.el8.noarch requires xorg-x11-server-utils, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 29: package libspectre-0.2.8-5.el8.x86_64 requires libgs.so.9()(64bit), but none of the providers can be installed
  - package libgs-9.27-1.el8.x86_64 requires urw-base35-fonts, but none of the providers can be installed
  - package evince-libs-3.28.4-9.el8.x86_64 requires libspectre.so.1()(64bit), but none of the providers can be installed
  - package urw-base35-fonts-20170801-10.el8.noarch requires urw-base35-z003-fonts, but none of the providers can be installed
  - package evince-nautilus-3.28.4-9.el8.x86_64 requires libevdocument3.so.4()(64bit), but none of the providers can be installed
  - package evince-nautilus-3.28.4-9.el8.x86_64 requires evince-libs(x86-64) = 3.28.4-9.el8, but none of the providers can be installed
  - package urw-base35-z003-fonts-20170801-10.el8.noarch requires xorg-x11-server-utils, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
 Problem 30: package ghostscript-9.27-1.el8.x86_64 requires libgs.so.9()(64bit), but none of the providers can be installed
  - package ghostscript-9.27-1.el8.x86_64 requires libgs(x86-64) = 9.27-1.el8, but none of the providers can be installed
  - package cups-filters-1.20.0-24.el8.x86_64 requires ghostscript(x86-64) >= 9.27-1, but none of the providers can be installed
  - package libgs-9.27-1.el8.x86_64 requires urw-base35-fonts, but none of the providers can be installed
  - package cups-1:2.2.6-38.el8.x86_64 requires cups-filters, but none of the providers can be installed
  - package urw-base35-fonts-20170801-10.el8.noarch requires urw-base35-z003-fonts, but none of the providers can be installed
  - package gutenprint-cups-5.2.14-3.el8.x86_64 requires cups, but none of the providers can be installed
  - package urw-base35-z003-fonts-20170801-10.el8.noarch requires xorg-x11-server-utils, but none of the providers can be installed
  - conflicting requests
  - package xorg-x11-server-utils-7.7-27.el8.x86_64 is filtered out by exclude filtering
ggbecker commented 3 years ago

That's really strange. If the profile does not select the rule it should exclude these packages from the installation.

One exaggerated potential cause can be that you selected the STIG profile first, then packages are added to the exclude list and then selected STIG GUI profile and the list of excluded packages is not restored to the initial state.

mildas commented 3 years ago

@ggbecker good point! I've started new installation and selected STIG with GUI first and only these conflicts appear:

 Problem: package libvirt-daemon-driver-storage-6.0.0-34.module+el8.4.0+9758+5c420eed.x86_64 requires libvirt-daemon-driver-storage-core = 6.0.0-34.module+el8.4.0+9758+5c420eed, but none of the providers can be installed
  - package libvirt-daemon-kvm-6.0.0-34.module+el8.4.0+9758+5c420eed.x86_64 requires libvirt-daemon-driver-storage = 6.0.0-34.module+el8.4.0+9758+5c420eed, but none of the providers can be installed
  - package libvirt-daemon-driver-storage-core-6.0.0-34.module+el8.4.0+9758+5c420eed.x86_64 requires nfs-utils, but none of the providers can be installed
  - package gnome-boxes-3.36.5-8.el8.x86_64 requires libvirt-daemon-kvm, but none of the providers can be installed
  - package nfs-utils-1:2.3.3-41.el8.x86_64 requires gssproxy >= 0.7.0-3, but none of the providers can be installed
  - conflicting requests
  - package gssproxy-0.8.0-19.el8.x86_64 is filtered out by exclude filtering

Then I have selected STIG (the one without GUI), after that I've selected STIG with GUI again and xorg-x11-* conflicts are there.

ggbecker commented 3 years ago

@ggbecker good point! I've started new installation and selected STIG with GUI first and only these conflicts appear:

 Problem: package libvirt-daemon-driver-storage-6.0.0-34.module+el8.4.0+9758+5c420eed.x86_64 requires libvirt-daemon-driver-storage-core = 6.0.0-34.module+el8.4.0+9758+5c420eed, but none of the providers can be installed
  - package libvirt-daemon-kvm-6.0.0-34.module+el8.4.0+9758+5c420eed.x86_64 requires libvirt-daemon-driver-storage = 6.0.0-34.module+el8.4.0+9758+5c420eed, but none of the providers can be installed
  - package libvirt-daemon-driver-storage-core-6.0.0-34.module+el8.4.0+9758+5c420eed.x86_64 requires nfs-utils, but none of the providers can be installed
  - package gnome-boxes-3.36.5-8.el8.x86_64 requires libvirt-daemon-kvm, but none of the providers can be installed
  - package nfs-utils-1:2.3.3-41.el8.x86_64 requires gssproxy >= 0.7.0-3, but none of the providers can be installed
  - conflicting requests
  - package gssproxy-0.8.0-19.el8.x86_64 is filtered out by exclude filtering

Then I have selected STIG (the one without GUI), after that I've selected STIG with GUI again and xorg-x11-* conflicts are there.

So, there's definitely a bug in the oscap-anaconda-addon where it doesn't reset the packages list to its initial state when switching between profiles in the profile selection screen.

Regarding gssproxy, I remember seeing something related to nfs-utils and that is part of some specific group of packages. Are you installing this machine using beaker? otherwise we may have to remove this rule from the profile.

mildas commented 3 years ago

Regarding gssproxy, I remember seeing something related to nfs-utils and that is part of some specific group of packages.

About nfs-utils, I found this - https://github.com/OpenSCAP/oscap-anaconda-addon/pull/121 - but this should be handled within the "Security Policy". However, the gssproxy conflict shows as an error in the "Package Selection".

Are you installing this machine using beaker? otherwise we may have to remove this rule from the profile.

Nope, I'm installing it on my VM. Btw, I've used RHEL-8.4.0-20210216 compose

ggbecker commented 3 years ago

Regarding gssproxy, I remember seeing something related to nfs-utils and that is part of some specific group of packages.

About nfs-utils, I found this - OpenSCAP/oscap-anaconda-addon#121 - but this should be handled within the "Security Policy". However, the gssproxy conflict shows as an error in the "Package Selection".

I guess the fact that nfs-utils will be removed due to gssproxy is only established later down the road when it's removing the packages. During the Security Policy page it only knows that gssproxy package will be removed. We probably need to remove this rule from the stig_gui profile.