Update from upstream (fips-crypto-policy-overlay, ...)

- fips-crypto-policy-overlay: a unit to automount FIPS policy when fips=1 - fips-setup-helper: add a libexec helper for anaconda - fips-mode-setup: force --no-bootcfg when UKI is detected Related: CRYPTO-14303 Related: RHEL-36450
2024-08-06 15:19:03 +02:00 · 2024-08-06 15:19:03 +02:00 · ef8e09a7e4
commit ef8e09a7e4
parent 401c4827c4
2 changed files with 32 additions and 4 deletions
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -1,5 +1,5 @@
-%global git_date 20240802
-%global git_commit 8cb6f2d3cc352133a23130c9f00e6fedcebacb1b
+%global git_date 20240807
+%global git_commit 7ea320fdb852c39c8ede4a41cc78b9135897f1bc
 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}

 %global _python_bytecompile_extra 0
@ -27,6 +27,7 @@ BuildRequires: bind
 BuildRequires: python3-devel >= 3.12
 BuildRequires: python3-pytest
 BuildRequires: make
+BuildRequires: systemd-rpm-macros

 Conflicts: openssl-libs < 1:3.2
 Conflicts: nss < 3.101
@ -80,6 +81,7 @@ mkdir -p -m 755 %{buildroot}%{_bindir}

 make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
 install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
+install -p -m 644 default-fips-config %{buildroot}%{_datarootdir}/crypto-policies/default-fips-config
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol

@ -132,11 +134,28 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then
            posix.symlink(policypath.."/"..fn, cfgfn)
        end
    end
+else
+    if posix.access("%{_sysconfdir}/crypto-policies/autopolicy-reapplication-needed") then
+        os.execute("%{_libexecdir}/fips-crypto-policy-overlay >/dev/null 2>/dev/null || :")
+        posix.unlink("%{_sysconfdir}/crypto-policies/autopolicy-reapplication-needed")
+    end
 end

 %pre
+if [ $1 == 2 ]; then  # upgrade
+    rm -f %{_sysconfdir}/crypto-policies/config/autopolicy-reapplication-needed || :
+    if mountpoint -q %{_sysconfdir}/crypto-policies/back-ends >/dev/null 2>/dev/null && \
+            mountpoint -q %{_sysconfdir}/crypto-policies/config >/dev/null 2>/dev/null && \
+            grep -Fq '/crypto-policies/back-ends/FIPS %{_sysconfdir}/crypto-policies/back-ends ' /proc/self/mountinfo && \
+            grep -Fq '/crypto-policies/default-fips-config %{_sysconfdir}/crypto-policies/config ' /proc/self/mountinfo; then
+        umount %{_sysconfdir}/crypto-policies/config || :
+        umount %{_sysconfdir}/crypto-policies/back-ends || :
+        touch %{_sysconfdir}/crypto-policies/autopolicy-reapplication-needed || :
+    fi
+fi
 # Drop removed javasystem backend; can be dropped in 11
 rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" || :
+exit 0

 %posttrans scripts
 %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
@ -162,7 +181,6 @@ rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" || :
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
-%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
@ -182,9 +200,14 @@ rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" || :
 %{_datarootdir}/crypto-policies/FIPS
 %{_datarootdir}/crypto-policies/back-ends
 %{_datarootdir}/crypto-policies/default-config
+%{_datarootdir}/crypto-policies/default-fips-config
 %{_datarootdir}/crypto-policies/reload-cmds.sh
 %{_datarootdir}/crypto-policies/policies

+%{_libexecdir}/fips-setup-helper
+%{_libexecdir}/fips-crypto-policy-overlay
+%{_unitdir}/fips-crypto-policy-overlay.service
+
 %license COPYING.LESSER

 %files scripts
@ -198,6 +221,11 @@ rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" || :
 %{_mandir}/man8/fips-finish-install.8*

 %changelog
+* Wed Aug 07 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240807-1.git7ea320f
+- fips-crypto-policy-overlay: a unit to automount FIPS policy when fips=1
+- fips-setup-helper: add a libexec helper for anaconda
+- fips-mode-setup: force --no-bootcfg when UKI is detected
+
 * Fri Aug 02 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240802-1.git8cb6f2d
 - nss: rewrite backend for nss 3.101

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (crypto-policies-git8cb6f2d.tar.gz) = c0146b4ccacfdc64d014790245c7f6c57f14a29e5552a80ae7eee04c7eec77a3f324d627daee3f288c85fc315004ae9c307355e1faeae28bddf57abbe526b4bf
+SHA512 (crypto-policies-git7ea320f.tar.gz) = 1334a770203a5ff7a1aa8f7f789af1b84404bfd05a8e21c51897afeb54ff8c9d22e6be7c8b7a5f552fe1ded18c947c181602bef978d262f9f1e5e61a3aa92fba