From ef8e09a7e4fccdf00ccad630fdfaf60480dc29f2 Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Tue, 6 Aug 2024 15:19:03 +0200 Subject: [PATCH] Update from upstream (fips-crypto-policy-overlay, ...) - fips-crypto-policy-overlay: a unit to automount FIPS policy when fips=1 - fips-setup-helper: add a libexec helper for anaconda - fips-mode-setup: force --no-bootcfg when UKI is detected Related: CRYPTO-14303 Related: RHEL-36450 --- crypto-policies.spec | 34 +++++++++++++++++++++++++++++++--- sources | 2 +- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/crypto-policies.spec b/crypto-policies.spec index 2c7c6f2..7b55cae 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -1,5 +1,5 @@ -%global git_date 20240802 -%global git_commit 8cb6f2d3cc352133a23130c9f00e6fedcebacb1b +%global git_date 20240807 +%global git_commit 7ea320fdb852c39c8ede4a41cc78b9135897f1bc %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 @@ -27,6 +27,7 @@ BuildRequires: bind BuildRequires: python3-devel >= 3.12 BuildRequires: python3-pytest BuildRequires: make +BuildRequires: systemd-rpm-macros Conflicts: openssl-libs < 1:3.2 Conflicts: nss < 3.101 @@ -80,6 +81,7 @@ mkdir -p -m 755 %{buildroot}%{_bindir} make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +install -p -m 644 default-fips-config %{buildroot}%{_datarootdir}/crypto-policies/default-fips-config touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol @@ -132,11 +134,28 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then posix.symlink(policypath.."/"..fn, cfgfn) end end +else + if posix.access("%{_sysconfdir}/crypto-policies/autopolicy-reapplication-needed") then + os.execute("%{_libexecdir}/fips-crypto-policy-overlay >/dev/null 2>/dev/null || :") + posix.unlink("%{_sysconfdir}/crypto-policies/autopolicy-reapplication-needed") + end end %pre +if [ $1 == 2 ]; then # upgrade + rm -f %{_sysconfdir}/crypto-policies/config/autopolicy-reapplication-needed || : + if mountpoint -q %{_sysconfdir}/crypto-policies/back-ends >/dev/null 2>/dev/null && \ + mountpoint -q %{_sysconfdir}/crypto-policies/config >/dev/null 2>/dev/null && \ + grep -Fq '/crypto-policies/back-ends/FIPS %{_sysconfdir}/crypto-policies/back-ends ' /proc/self/mountinfo && \ + grep -Fq '/crypto-policies/default-fips-config %{_sysconfdir}/crypto-policies/config ' /proc/self/mountinfo; then + umount %{_sysconfdir}/crypto-policies/config || : + umount %{_sysconfdir}/crypto-policies/back-ends || : + touch %{_sysconfdir}/crypto-policies/autopolicy-reapplication-needed || : + fi +fi # Drop removed javasystem backend; can be dropped in 11 rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" || : +exit 0 %posttrans scripts %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : @@ -162,7 +181,6 @@ rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" || : %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config -%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config @@ -182,9 +200,14 @@ rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" || : %{_datarootdir}/crypto-policies/FIPS %{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/default-config +%{_datarootdir}/crypto-policies/default-fips-config %{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/policies +%{_libexecdir}/fips-setup-helper +%{_libexecdir}/fips-crypto-policy-overlay +%{_unitdir}/fips-crypto-policy-overlay.service + %license COPYING.LESSER %files scripts @@ -198,6 +221,11 @@ rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" || : %{_mandir}/man8/fips-finish-install.8* %changelog +* Wed Aug 07 2024 Alexander Sosedkin - 20240807-1.git7ea320f +- fips-crypto-policy-overlay: a unit to automount FIPS policy when fips=1 +- fips-setup-helper: add a libexec helper for anaconda +- fips-mode-setup: force --no-bootcfg when UKI is detected + * Fri Aug 02 2024 Alexander Sosedkin - 20240802-1.git8cb6f2d - nss: rewrite backend for nss 3.101 diff --git a/sources b/sources index 0ba2eff..9da9095 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (crypto-policies-git8cb6f2d.tar.gz) = c0146b4ccacfdc64d014790245c7f6c57f14a29e5552a80ae7eee04c7eec77a3f324d627daee3f288c85fc315004ae9c307355e1faeae28bddf57abbe526b4bf +SHA512 (crypto-policies-git7ea320f.tar.gz) = 1334a770203a5ff7a1aa8f7f789af1b84404bfd05a8e21c51897afeb54ff8c9d22e6be7c8b7a5f552fe1ded18c947c181602bef978d262f9f1e5e61a3aa92fba