From 9b9c9f7378c3fd375b9a08d5283c530a51a5de34 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: May 29 2020 13:04:23 +0000 Subject: automatically set up FIPS policy in FIPS mode on first install --- diff --git a/crypto-policies.spec b/crypto-policies.spec index 99b7b3a..e186170 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -6,7 +6,7 @@ Name: crypto-policies Version: %{git_date} -Release: 2.git%{git_commit_hash}%{?dist} +Release: 3.git%{git_commit_hash}%{?dist} Summary: System-wide crypto policies License: LGPLv2+ @@ -113,6 +113,34 @@ done %check make check %{?_smp_mflags} +%pre -p +if not posix.access("%{_sysconfdir}/crypto-policies/config") then + local f = io.open("/proc/sys/crypto/fips_enabled", "r") + if f then + local policy = "DEFAULT" + if f:read() == "1" then + policy = "FIPS" + end + f:close() + local cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + for fn in posix.files("%{_datarootdir}/crypto-policies/"..policy) do + local backend = fn:gsub(".*/", ""):gsub("%%..*", "") + local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" + posix.unlink(cfgfn) + posix.symlink(fn, cfgfn) + end + end +end + %posttrans scripts %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : @@ -127,19 +155,19 @@ make check %{?_smp_mflags} %dir %{_sysconfdir}/crypto-policies/policies/modules/ %dir %{_datarootdir}/crypto-policies/ -%config(noreplace) %{_sysconfdir}/crypto-policies/config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config -%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config %ghost %{_sysconfdir}/crypto-policies/state/current %ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol @@ -170,6 +198,9 @@ make check %{?_smp_mflags} %{_mandir}/man8/fips-finish-install.8* %changelog +* Fri May 29 2020 Tomáš Mráz - 20200527-3.gitb234a47 +- automatically set up FIPS policy in FIPS mode on first install + * Thu May 28 2020 Tomáš Mráz - 20200527-2.gitb234a47 - require the base package from scripts subpackage - add Recommends for fips-mode-setup to the scripts subpackage