Bug 1195850

Summary: libgcrypt drops suid root rights on library load when fips is enabled
Product: [Fedora] Fedora Reporter: Hans de Goede <hdegoede>
Component: libgcryptAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: pbrobinson, rdieter, robatino, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libgcrypt-1.6.3-1.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-09 15:09:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043125    

Description Hans de Goede 2015-02-24 17:21:02 UTC 
On Út, 2015-02-24 at 10:42 +0100, Hans de Goede wrote:
> Hi all,
>
> Debugging this took me ages, so I thought I would share this with you,
> with the new gdm on wayland landed in F-22 recently Xorg gets started
> as a regular user.
>
> This is a good thing as we want to move to Xorg running as a regular user,
> but we're not 100% there yet, so currently Xorg is still suid-root, and
> needs those root rights to function properly.
>
> But when fips is enabled either on the kernel commandline or a /etc/system-fips
> file exists one of the libraries X is using is dropping the root rights at
> early library init and things fail.
>
> So if X is not working for you all of a sudden, make sure you do not have
> fips enabled on the kernel commandline, and remove any /etc/system-fips
> file you may have.

This is unintended side-effect of running the FIPS selftest in the
libgcrypt constructor, we need to fix that. Please open a new bug
against libgcrypt so the bug fix is tracked.
Comment 1 Fedora Blocker Bugs Application 2015-03-09 09:08:18 UTC 
Proposed as a Blocker for 22-beta by Fedora user pbrobinson using the blocker tracking app because:

 Stops core desktop working when FIPS is enabled
Comment 2 Rex Dieter 2015-03-09 13:13:39 UTC 
Is FIPS mode a blocker ?  (if so, under what criteria?)
Comment 3 Tomas Mraz 2015-03-09 15:09:41 UTC 
This should be fixed in rawhide and recent F22 update in testing.
Comment 4 Tomas Mraz 2015-03-09 15:10:31 UTC 
Also I do not think FIPS mode regression should be a release blocker.