Bug 1829669

Description of problem:

In the crypto-policies package before RHEL 8.2, additional policies were added to the system by creating a custom policy directory and populating all of the back-end files in that directory.

We leveraged that capability to roll our own custom policy for our RHEL8 hosts. It worked well.

But starting with RHEL 8.2, the mechanism to create custom policies has changed. Instead of creating the required back-end files, one creates a POLICY.pol file, and (optionally) various MODIFICATIONS.pmod files. Rather than focusing on specific applications, the *.pol policy language tends to describe the overall state of the system in terms of permitted ciphers, hashes, key lengths, et. al.

Unfortunately, this change has broken our ability to install our own custom policy by pre-generating the necessary back-end files.

Yes, we see the value of the simplistic *.pol policy language for novice administrators. But for advanced configurations, precise and application-specific tailoring is necessary, and the current policy language is wholly inadequate for this task. (This is particularly true in cases where compliance with various standards is required, and compliance with said standards is audited.)

Please bring back the ability to specify an exact back-end policy structure.

Specifically, if I run:

$ update-crypto-policies --set MYPOLICY

…if none of these policy files exists:

/etc/crypto-policies/policies/MYPOLICY.pol
/usr/share/crypto-policies/policies/MYPOLICY.pol

…but a pre-generated back-end directory structure exists:

/usr/share/crypto-policies/MYPOLICY/
/usr/share/crypto-policies/MYPOLICY/bind.txt
/usr/share/crypto-policies/MYPOLICY/gnutls.txt
/usr/share/crypto-policies/MYPOLICY/java.txt
/usr/share/crypto-policies/MYPOLICY/krb5.txt
/usr/share/crypto-policies/MYPOLICY/libreswan.txt
/usr/share/crypto-policies/MYPOLICY/libssh.txt
/usr/share/crypto-policies/MYPOLICY/nss.txt
/usr/share/crypto-policies/MYPOLICY/opensshserver.txt
/usr/share/crypto-policies/MYPOLICY/openssh.txt
/usr/share/crypto-policies/MYPOLICY/opensslcnf.txt
/usr/share/crypto-policies/MYPOLICY/openssl.txt

…then update-crypto-policies should simply install the contents of the /usr/share/crypto-policies/MYPOLICY directory to /etc/crypto-policies/back-ends directory and assert that the MYPOLICY policy is in effect.

Without functionality like this, we will have no choice but to simply stomp the contents of the /etc/crypto-policies/back-ends directory with the specific back-end policy we need, because there is no way to express the nuances of the application-specific policies we need using the *.pol language.

We don't want to do this. We recognize that attempting to centralize Linux cryptographic configuration is a laudable goal, and we are grateful that Red Hat has undertaken this (challenging!) endeavor. We also see the value in attempting to simply the cryptographic configuration for novice administrators. But this simplification cannot come at the cost of preventing non-novice administrators from exerting exact control over the various policies for the various back-ends.

Version-Release number of selected component (if applicable):

20191128-2.git23e1bf1.el8