sshd_include_crypto_policy remediation breaks SSH when run in OSBuild

[comps]

Description of problem:

The problem is that the remediation (both Bash and Ansible) does

dnf -y remove openssh-server
dnf -y install openssh-server
systemctl restart sshd.service

presumably to re-generate the on-disk files used by openssh-server.

This is a problem for the OSBuild environment, because while the removal happens just fine (extra debug lines redacted):

INFO --- logging initialized ---
DEBUG Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, notify-packagekit, playground, repoclosure, repodiff, repograph, repomanage, reposync, system-upgrade, uploadprofile
DDEBUG Command: dnf -y remove openssh-server 
DDEBUG Extra commands: ['-y', 'remove', 'openssh-server']
DEBUG --> Starting dependency resolution
DEBUG --> Finding unneeded leftover dependencies
DEBUG ---> Package openssh-server.x86_64 8.7p1-44.el9 will be erased
DEBUG --> Finished dependency resolution
INFO Dependencies resolved.
INFO ================================================================================
 Package               Architecture  Version               Repository      Size
================================================================================
Removing:
 openssh-server        x86_64        8.7p1-44.el9          @System        1.0 M

Transaction Summary
================================================================================
Remove  1 Package
INFO Freed space: 1.0 M
INFO Running transaction check
INFO Transaction check succeeded.
INFO Running transaction test
INFO Transaction test succeeded.
DEBUG Removed: openssh-server-8.7p1-44.el9.x86_64
INFO Complete!

the subsequent install fails on not having network in the OSBuild build environment,

INFO --- logging initialized ---
DEBUG Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, notify-packagekit, playground, repoclosure, repodiff, repograph, repomanage, reposync, system-upgrade, uploadprofile
DDEBUG Command: dnf -y install openssh-server 
DDEBUG Extra commands: ['-y', 'install', 'openssh-server']
DEBUG repo: downloading from remote: beaker-AppStream-source-extra
DEBUG error: Curl error (6): Couldn't resolve host name for http://redacted-internal-download-server/rhel-9/composes/RHEL-9/RHEL-9.6.0-20250204.2/compose/AppStream/source/tree/repodata/repomd.xml [Could not resolve host: redacted-internal-download-server] (http://redacted-internal-download-server/rhel-9/composes/RHEL-9/RHEL-9.6.0-20250204.2/compose/AppStream/source/tree/repodata/repomd.xml).
WARNING Errors during downloading metadata for repository 'beaker-AppStream-source-extra':
n't resolve host name for http://redacted-internal-download-server/rhel-9/composes/RHEL-9/RHEL-9.6.0-20250204.2/compose/AppStream/source/tree/repodata/repomd.xml [Could not resolve host: redacted-internal-download-server]
WARNING Error: Failed to download metadata for repo 'beaker-AppStream-source-extra': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

So perhaps the remediation should be notapplicable for OSBuild ... ?

Maybe look into why this is a RHEL-9 only issue and doesn't happen on RHEL-10 - was there some OSBuild env change on 10?

SCAP Security Guide Version:

master @ c10d93d

Operating System Version:

RHEL-9.6

Steps to Reproduce:

1. Run custom productization as --rhel 9.6 --arch x86_64 --test '/hardening/image-builder/stig$'
2. Observe something like TimeoutError: waiting for 192.168.120.146:22 to start timed out

You can also reproduce it by running the test manually and using a serial console into the VM guest to look at /var/log/dnf.log like I did.

Additional Information/Debugging Steps:

• OSBuild log showing oscap execution: contest-osbuild.txt

[evgenyz]

Cause of the problem: #12931