SUSE Linux Enterprise Server 15 Service Pack 1 (SLES 15 SP1)
An autoyast control file that saves a custom security permissions file and selects its installation, fails to apply the custom changes. The security permission is something other than Easy, Secure and Paranoid.
The /etc/permissions.secure file was copied to /etc/permissions.ultra. In a test case, the /usr/bin/crontab permissions were changed from 0755 to 0700. The updates were applied to the autoyast control file as follows:
# Updated security permissions file content
When the installation was complete, the changes had not taken effect.
The same autoyast configuration works fine in SLES12 SP4.
A driver update disk (DUD) with a yast2-security package version greater than yast2-security-4.1.2-6.56 is required to fix the issue. The fix also requires the addition of a post-installation script in the autoyast control file that runs chkstat.
1. Add the following section to your autoyast control file within the <scripts> tag.
chkstat --system --set
2. Start the installation with a DUD file obtained from SUSE Customer Service. This is done by booting from the installation media, selecting Installation and including the DUD= parameter with the path to the updated yast2-security package.
Due to fixes of another issue, the order of writing security settings changed. This made it necessary to run chkstat again in the autoyast control file.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.