📖 ~4 min read • Source: Oracle Bug 31133351
Table of contents
Symptom & Impact
On Oracle Linux 8 systems, Oracle Bug 31133351 documents the behaviour described in the title: Graphical Installation Program Fails to Produce Error When an Unacceptable Kdump Value Is Entered. The condition surfaces during install, boot, or normal operation depending on the affected subsystem. Operators see failed systemctl --failed output, abnormal entries in journalctl -xe, and — where the package is part of the serving path — degraded availability. On Oracle Linux 8 the impact ranges from a single service-restart loop to wider production incidents depending on host role and the criticality of Graphical.
Environment & Reproduction
Reproduction targets Oracle Linux 8 running either the Red Hat Compatible Kernel (RHCK) or the Unbreakable Enterprise Kernel (UEK). Confirm release, kernel, and installed package:
cat /etc/oracle-release
uname -r
rpm -q Graphical
dnf list installed Graphical
dnf history list --reverse | head -20Trigger the workflow that exposes Graphical Installation Program Fails to Produce Error When an Unacceptable Kdump Value Is Entered while collecting:
journalctl -u Graphical -b --no-pager | tail -200
journalctl -xe --no-pager | tail -200
tail -200 /var/log/dnf.log
tail -200 /var/log/audit/audit.logRoot Cause Analysis
Root cause is tracked in the Oracle Linux release notes (Oracle Bug 31133351). The defect lives in a specific kernel, firmware, or userspace component shipped with the GA channel; Oracle has either shipped a fix in a later errata or documented a supported workaround. Correlate transaction history with system logs and SELinux audit entries to isolate the originating change:
dnf history list --reverse | head -30
dnf history info $(dnf history list | awk '/Graphical/ {print $1; exit}')
ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted # non-zero = kernel modules / out-of-tree drivers loadedQuick Triage
Run these checks on Oracle Linux 8 to confirm the failure mode and current state of Graphical:
rpm -q Graphical # installed version
rpm -V Graphical # verify file integrity
dnf updateinfo info --security Graphical # any security advisories outstanding
systemctl --failed --no-pager
firewall-cmd --list-all 2>/dev/null || echo 'firewalld not running'
getenforce # SELinux mode
# If Graphical ships a systemd unit (unit name may differ from the pkg name,
# e.g. httpd pkg/unit match, but bind→named, postgresql-server→postgresql):
systemctl list-unit-files | grep -i Graphical | head -5Step-by-Step Diagnosis
-
List failed units.
systemctl --failed --no-pager -
Follow the journal for
Graphicaland the system bus.journalctl -u Graphical -f --no-pager journalctl -xe -f --no-pager -
Check firewall posture (skip if firewalld is masked).
firewall-cmd --list-all-zones --permanent nft list ruleset 2>/dev/null | head -50 -
Surface SELinux denials and translate them to a policy module if needed.
ausearch -m AVC,USER_AVC -ts today ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix # Inspect /tmp/local-fix.te before applying: sudo semodule -i /tmp/local-fix.pp -
Verify
Graphicalintegrity and dependency closure.dnf check rpm -V Graphical rpm -q --requires Graphical | xargs -r rpm -q --whatprovides | head -
Correlate findings with
/var/log/dnf.log,dnf historyand Oracle Bug 31133351 to pin the change that introduced Graphical Installation Program Fails to Produce Error When an Unacceptable Kdump Value Is Entered.
Solution – Primary Fix
Apply the corrective dnf transaction referenced by Oracle Bug 31133351, reload affected systemd units, and reconcile firewalld / SELinux state:
sudo dnf clean expire-cache
sudo dnf -y update Graphical
sudo systemctl daemon-reload
# If Graphical ships a systemd unit (unit name may differ from pkg name):
sudo systemctl restart Graphical
rpm -q Graphical # confirm new NVR
systemctl is-active Graphical # confirm running (if a unit exists)If the advisory says a reboot is required (kernel, glibc, systemd, openssl):
sudo needs-restarting -r # reports kernel/init/glibc need
sudo systemctl reboot # or: sudo shutdown -r nowNeed help applying this fix at scale? Our IT Solutions & Services team rolls Oracle Linux patches across estates with zero-downtime change windows and Ksplice live-patching. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary fix is not viable, choose from these alternatives:
-
Roll back the offending dnf transaction:
sudo dnf history list --reverse sudo dnf history undo <id> -
Pin
Graphicalwith the versionlock plugin:sudo dnf install -y python3-dnf-plugin-versionlock sudo dnf versionlock add Graphical sudo dnf versionlock list | grep Graphical -
Downgrade to a known-good NVR from the repo cache or vault:
sudo dnf --showduplicates list Graphical sudo dnf -y downgrade Graphical-<older-NVR> -
Switch firewalld backend (nftables ↔ iptables) for compatibility:
sudo sed -i 's/^FirewallBackend=.*/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf sudo systemctl restart firewalld -
If SELinux is suspected, switch to permissive briefly, capture denials, and author a custom module before re-enforcing:
sudo setenforce 0 # do NOT leave permissive # reproduce the failure sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal sudo semodule -i mylocal.pp sudo setenforce 1 -
Where the advisory has Ksplice coverage, live-patch without reboot (Oracle Linux Premier Support):
sudo uptrack-show # current live patches sudo uptrack-upgrade -y # apply all available uptrack-uname -r # effective kernel after live patching
Verification & Acceptance Criteria
All of these should pass after the fix:
rpm -q Graphical # shows the expected fixed NVR
dnf updateinfo list --security installed | head # no security advisories pending for us
systemctl is-active Graphical 2>/dev/null # active (if a unit exists)
journalctl -u Graphical --since "5 minutes ago" --no-pager # no new errors
firewall-cmd --list-services # required services present
getenforce # intended mode (Enforcing/Permissive)The original reproduction for Graphical Installation Program Fails to Produce Error When an Unacceptable Kdump Value Is Entered must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
rpm -qa > /root/rpm-pre.txt
dnf history list --reverse > /root/dnf-history-pre.txt
# LVM snapshot of the root LV (size to ~10% of root):
sudo lvcreate -L 4G -s -n root_pre_patch /dev/mapper/$(lvs --noheadings -o lv_path | grep -m1 root | xargs basename)To revert if the patch is bad:
sudo dnf history undo <id>
# Or downgrade just Graphical to the previous NVR:
sudo dnf -y downgrade Graphical
sudo systemctl daemon-reload
# For SELinux module additions:
sudo semodule -r mylocal
# Reboot only if kernel/initramfs/glibc were rolled back:
sudo systemctl rebootFor kernel rollbacks, select the previous entry from the GRUB menu or set it as default with grubby --set-default /boot/vmlinuz-<older>.
Prevention & Hardening
Prevent recurrence on Oracle Linux 8 hosts running Graphical:
-
Enable scheduled security updates via
dnf-automatic:sudo dnf install -y dnf-automatic # Edit /etc/dnf/automatic.conf: # upgrade_type = security # apply_updates = yes sudo systemctl enable --now dnf-automatic.timer -
Subscribe to the Oracle Linux Errata RSS / mailing list at linux.oracle.com/security.
-
Mirror through a local yum/dnf repository:
sudo dnf install -y dnf-utils createrepo_c sudo reposync --download-metadata --downloadcomps -p /srv/repos -m --repo=ol8_baseos_latest sudo createrepo_c /srv/repos/ol-baseos -
Pin sensitive packages so they cannot be auto-upgraded:
sudo dnf install -y python3-dnf-plugin-versionlock sudo dnf versionlock add Graphical -
Snapshot the root LV before every upgrade window:
sudo lvcreate -L 4G -s -n root_pre_$(date +%Y%m%d) /dev/<vg>/<root-lv> -
Monitor file integrity with AIDE:
sudo dnf install -y aide sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz sudo aide --check -
Lock down with SELinux audit rules in
/etc/audit/rules.d/:# /etc/audit/rules.d/90-cp.rules -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k privilege -a always,exit -F arch=b64 -S execve -k exec -
Where licensed, enable Oracle Ksplice for live kernel and userspace patching:
sudo dnf install -y uptrack ksplice-tools sudo uptrack-upgrade -y sudo systemctl enable --now uptrack
Related Errors & Cross-Refs
Issues that commonly surface alongside Graphical Installation Program Fails to Produce Error When an Unacceptable Kdump Value Is Entered: dnf transaction lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Triage with:
cat /proc/sys/kernel/tainted
systemd-analyze critical-chain
ausearch -m AVC -ts today | tail
firewall-cmd --get-active-zones
dnf history list --reverse | headView all oracle-linux-8 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: Oracle Bug 31133351. Useful manual pages on Oracle Linux 8:
man dnf
man dnf.conf
man systemctl
man journalctl
man firewall-cmd
man semanage
man audit2allow
man grubbyOther resources: Oracle Linux 8 Administrator’s Guide at docs.oracle.com, the upstream Red Hat CVE database at access.redhat.com/security/cve, the Oracle Ksplice known-fixes feed, and /usr/share/doc/Graphical/ for component-specific notes implicated in Graphical Installation Program Fails to Produce Error When an Unacceptable Kdump Value Is Entered.
