Bug 1654645
Summary: | fips-mode-setup --disable is incomplete | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Ondrej Moriš <omoris> |
Component: | crypto-policies | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | nmavrogi |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-11-30 08:35:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ondrej Moriš
2018-11-29 10:30:39 UTC
Yes, this is expected behavior implemented as required by FIPS 140-2 Implementation Guidance. The effect of fips-finish-install is and must be irreversible. Thank you both. I also discussed with this with Tomas privately and now it makes sense to me. I did checked documentation and man page FIPS-FINISH-INSTAL(8) is quite clear about this: "[T]he completion of the installation cannot be undone. The system has to be reinstalled if the FIPS modules are not supposed to be installed anymore." Since we cannot really expect anyone to toggle between FIPS mode enabled and disabled I think this explanation is sufficient (in a combination with fips-mode-setup(8) man page). We should only make sure that components related to modules behave the same way as on the system where FIPS mode was never turned on. |