From cb8c2a84efde175075d43e3d466042a2a55e7386 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Apr 2020 05:41:27 -0400 Subject: [PATCH] import crypto-policies-20191128-2.git23e1bf1.el8 --- .crypto-policies.metadata | 2 +- .gitignore | 2 +- SPECS/crypto-policies.spec | 59 ++++++++++++++++++++++++++++++++------ 3 files changed, 53 insertions(+), 10 deletions(-) diff --git a/.crypto-policies.metadata b/.crypto-policies.metadata index ebcb59c..76ab63f 100644 --- a/.crypto-policies.metadata +++ b/.crypto-policies.metadata @@ -1 +1 @@ -7800b6d56a63b575dfb7064bc33539af2c50d1cf SOURCES/crypto-policies-git9b1477b.tar.gz +bca7f9bff61fcb2c905a139b90575e8623744dc4 SOURCES/crypto-policies-git23e1bf1.tar.gz diff --git a/.gitignore b/.gitignore index 5eefce1..3a0975e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/crypto-policies-git9b1477b.tar.gz +SOURCES/crypto-policies-git23e1bf1.tar.gz diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index 207e211..28da638 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -1,17 +1,19 @@ -%global git_date 20190807 -%global git_commit_hash 9b1477b +%global git_date 20191128 +%global git_commit_hash 23e1bf1 + +%global _python_bytecompile_extra 0 Name: crypto-policies Version: %{git_date} -Release: 1.git%{git_commit_hash}%{?dist} -Summary: Systemwide crypto policies +Release: 2.git%{git_commit_hash}%{?dist} +Summary: System-wide crypto policies License: LGPLv2+ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies # This is a tarball of the git repository without the .git/ # directory. -# For RHEL-8 we use the upstream branch next-default. +# For RHEL-8 we use the upstream branch rhel8. Source0: crypto-policies-git%{git_commit_hash}.tar.gz BuildArch: noarch @@ -53,29 +55,46 @@ to enable or disable the system FIPS mode. %setup -q -n %{name} %build -make %{?_smp_mflags} +%make_build %install mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/ +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ mkdir -p -m 755 %{buildroot}%{_bindir} make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +# Create back-end configs for mounting with read-only /etc/ +for d in LEGACY DEFAULT FUTURE FIPS ; do + mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d + for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do + ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config + done +done + +%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python + %check make check %{?_smp_mflags} -%post -%{_bindir}/update-crypto-policies --no-check >/dev/null +%posttrans +%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : %files %dir %{_sysconfdir}/crypto-policies/ %dir %{_sysconfdir}/crypto-policies/back-ends/ +%dir %{_sysconfdir}/crypto-policies/state/ %dir %{_sysconfdir}/crypto-policies/local.d/ +%dir %{_sysconfdir}/crypto-policies/policies/ +%dir %{_sysconfdir}/crypto-policies/policies/modules/ %dir %{_datarootdir}/crypto-policies/ %config(noreplace) %{_sysconfdir}/crypto-policies/config @@ -91,6 +110,7 @@ make check %{?_smp_mflags} %ghost %{_sysconfdir}/crypto-policies/back-ends/krb5.config %ghost %{_sysconfdir}/crypto-policies/back-ends/openjdk.config %ghost %{_sysconfdir}/crypto-policies/back-ends/libreswan.config +%ghost %{_sysconfdir}/crypto-policies/back-ends/libssh.config %{_bindir}/update-crypto-policies %{_bindir}/fips-mode-setup @@ -104,13 +124,36 @@ make check %{?_smp_mflags} %{_datarootdir}/crypto-policies/FUTURE %{_datarootdir}/crypto-policies/FIPS %{_datarootdir}/crypto-policies/EMPTY +%{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/default-config %{_datarootdir}/crypto-policies/reload-cmds.sh +%{_datarootdir}/crypto-policies/policies +%{_datarootdir}/crypto-policies/python %{!?_licensedir:%global license %%doc} %license COPYING.LESSER %changelog +* Mon Dec 16 2019 Tomáš Mráz - 20191128-2.git23e1bf1 +- move the pre-built .config files to /usr/share/crypto-policies/back-ends + +* Fri Nov 29 2019 Tomáš Mráz - 20191128-1.git23e1bf1 +- fips-mode-setup: compatibility with RHCOS + +* Thu Nov 28 2019 Tomáš Mráz - 20191127-1.git1179826 +- add FIPS subpolicy for OSPP + +* Tue Oct 29 2019 Tomáš Mráz - 20191022-1.gite17cc3a +- custom crypto policies support +- update-crypto-policies: fix handling of list operations in policy modules +- update-crypto-policies: fix updating of the current policy marker +- fips-mode-setup: fixes related to containers and non-root execution +- make it possible to use fips-mode-setup --check without dracut +- add .config symlinks so a crypto policy can be set with read-only + /etc by bind-mounting /usr/share/crypto-policies/ to + /etc/crypto-policies/back-ends +- run the update-crypto-policies in posttrans + * Wed Aug 7 2019 Tomáš Mráz - 20190807-1.git9b1477b - gnutls: enable TLS-1.3 in the FIPS policy