Bug 1921646

Summary: postinstall scripts creates wrong link for /etc/crypto-policies/back-ends/.config
Product: Red Hat Enterprise Linux 8 Reporter: Nir Levy <nlevy>
Component: crypto-policiesAssignee: Alexander Sosedkin <asosedki>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact: Jan Fiala <jafiala>
Priority: low    
Version: 8.8CC: asosedki, jafiala, omoris, phybl, pvrabec
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: crypto-policies-20221215-1.gitece0092.el8 Doc Type: Bug Fix
Doc Text:
.`crypto-policies` no longer creates unnecessary symlink During system installation, the `crypto-policies` scriptlet creates symlinks from the `/usr/share/crypto-policies/DEFAULT` file or `/usr/share/crypto-policies/FIPS` in FIPS mode and saves them in the `/etc/crypto-policies/back-ends` directory. Previously, `crypto-policies` incorrectly included directories, and created a `/etc/crypto-policies/back-ends/.config` symlink that pointed to the `/usr/share/crypto-policies/DEFAULT` or `/usr/share/crypto-policies/FIPS` directories. With this update, `crypto-policies` does not create symlinks from directories, and therefore does not create this unnecessary symlink.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:11:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nir Levy 2021-01-28 11:23:31 UTC 
Description of problem:

post install which creates a link to the chosen policy
point to wrong link (->/usr/share/crypto-policies/DEFAULT/..)


Version-Release number of selected component (if applicable):
crypto-policies-20200713-1.git51d1222.el8.noarch.rpm

How reproducible:


Steps to Reproduce:
1. After fresh install.
2.
3.

Actual results:
if policy is DEFAULT

ls -l /etc/crypto-policies/back-ends/.config results with
/usr/share/crypto-policies/DEFAULT/.


Expected results:
ls -l /etc/crypto-policies/back-ends/.config results with
/usr/share/crypto-policies/DEFAULT/..

Additional info:

Verified the issue is indeed lua script:
removing /etc/crypto-policies/config
and rebuild rpm with

postinstall scriptlet (using <lua>):
if not posix.access("/etc/crypto-policies/config") then
    local policy = "DEFAULT"
    local cf = io.open("/proc/sys/crypto/fips_enabled", "r")
    if cf then
        if cf:read() == "1" then
            policy = "FIPS"
        end
        cf:close()
    end
    cf = io.open("/etc/crypto-policies/config", "w")
    if cf then
        cf:write(policy.."\n")
        cf:close()
    end
    cf = io.open("/etc/crypto-policies/state/current", "w")
    if cf then
        cf:write(policy.."\n")
        cf:close()
    end
    local policypath = "/usr/share/crypto-policies/"..policy
    local cff = io.open("/tmp/trace_cp_links", "w+")
    for fn in posix.files(policypath) do
        local backend = fn:gsub(".*/", ""):gsub("%..*", "")
        local cfgfn = "/etc/crypto-policies/back-ends/"..backend..".config"
        cff:write(cfgfn.."\n")
        posix.unlink(cfgfn)
        posix.symlink(policypath.."/"..fn, cfgfn)
        cff:write("->"..policypath.."/"..fn.."\n")
    end
    cff:close()
end


[root@localhost ~]# cat /tmp/trace_cp_links


can be observed that apparently that links 
to /etc/crypto-policies/back-ends/.config

created twice and second time with wrong link

/etc/crypto-policies/back-ends/.config
->/usr/share/crypto-policies/DEFAULT/.
/etc/crypto-policies/back-ends/.config
->/usr/share/crypto-policies/DEFAULT/..


/etc/crypto-policies/back-ends/bind.config
->/usr/share/crypto-policies/DEFAULT/bind.txt
/etc/crypto-policies/back-ends/gnutls.config
->/usr/share/crypto-policies/DEFAULT/gnutls.txt
/etc/crypto-policies/back-ends/java.config
->/usr/share/crypto-policies/DEFAULT/java.txt
/etc/crypto-policies/back-ends/krb5.config
->/usr/share/crypto-policies/DEFAULT/krb5.txt
/etc/crypto-policies/back-ends/libreswan.config
->/usr/share/crypto-policies/DEFAULT/libreswan.txt
/etc/crypto-policies/back-ends/libssh.config
->/usr/share/crypto-policies/DEFAULT/libssh.txt
/etc/crypto-policies/back-ends/nss.config
->/usr/share/crypto-policies/DEFAULT/nss.txt
/etc/crypto-policies/back-ends/openssh.config
->/usr/share/crypto-policies/DEFAULT/openssh.txt
/etc/crypto-policies/back-ends/opensshserver.config
->/usr/share/crypto-policies/DEFAULT/opensshserver.txt
/etc/crypto-policies/back-ends/openssl.config
->/usr/share/crypto-policies/DEFAULT/openssl.txt
/etc/crypto-policies/back-ends/opensslcnf.config
->/usr/share/crypto-policies/DEFAULT/opensslcnf.txt


I did not verified this but look like '.' local folder
is returned by  posix.files(policypath)
and it creates the wrong link:


and it creates the wrong link:

this is how I tested.

postinstall scriptlet (using <lua>):
if posix.access("/etc/crypto-policies/config") then
    local policy = "DEFAULT"
    local cf = io.open("/proc/sys/crypto/fips_enabled", "r")
    if cf then
        if cf:read() == "1" then
            policy = "FIPS"
        end
        cf:close()
    end
    cf = io.open("/etc/crypto-policies/config", "w")
    if cf then
        cf:write(policy.."\n")
        cf:close()
    end
    cf = io.open("/etc/crypto-policies/state/current", "w")
    if cf then
        cf:write(policy.."\n")
        cf:close()
    end
    local policypath = "/usr/share/crypto-policies/"..policy
    local cff = io.open("/tmp/yyyy", "w+")
    for fn in posix.files(policypath) do
        local backend = fn:gsub(".*/", ""):gsub("%..*", "")
        local cfgfn = "/etc/crypto-policies/back-ends/"..backend..".config"
        cff:write(cfgfn.."\n")
        posix.unlink(cfgfn)
        posix.symlink(policypath.."/"..fn, cfgfn)
        cff:write("->"..policypath.."/"..fn.."\n")
    end
    cff:close()
end


[root@localhost ~]# cat /tmp/yyyy
/etc/crypto-policies/back-ends/.config
->/usr/share/crypto-policies/DEFAULT/.
/etc/crypto-policies/back-ends/.config
->/usr/share/crypto-policies/DEFAULT/..
/etc/crypto-policies/back-ends/bind.config
->/usr/share/crypto-policies/DEFAULT/bind.txt
/etc/crypto-policies/back-ends/gnutls.config
->/usr/share/crypto-policies/DEFAULT/gnutls.txt
/etc/crypto-policies/back-ends/java.config
->/usr/share/crypto-policies/DEFAULT/java.txt
/etc/crypto-policies/back-ends/krb5.config
->/usr/share/crypto-policies/DEFAULT/krb5.txt
/etc/crypto-policies/back-ends/libreswan.config
->/usr/share/crypto-policies/DEFAULT/libreswan.txt
/etc/crypto-policies/back-ends/libssh.config
->/usr/share/crypto-policies/DEFAULT/libssh.txt
/etc/crypto-policies/back-ends/nss.config
->/usr/share/crypto-policies/DEFAULT/nss.txt
/etc/crypto-policies/back-ends/openssh.config
->/usr/share/crypto-policies/DEFAULT/openssh.txt
/etc/crypto-policies/back-ends/opensshserver.config
->/usr/share/crypto-policies/DEFAULT/opensshserver.txt
/etc/crypto-policies/back-ends/openssl.config
->/usr/share/crypto-policies/DEFAULT/openssl.txt
/etc/crypto-policies/back-ends/opensslcnf.config
->/usr/share/crypto-policies/DEFAULT/opensslcnf.txt
Comment 1 Alexander Sosedkin 2021-01-28 12:07:09 UTC 
I'm not sure whether .config creation is intentional at all,
I feel like its presence stems from an oversight of the fact that `posix.files` yields `.`/`..` as well.

Would you be fine with a solution I've applied in
https://src.fedoraproject.org/rpms/crypto-policies/blob/master/f/crypto-policies.spec#_124,
which prevents any `.config` link from being created in the first place?
Comment 2 Nir Levy 2021-01-28 16:11:51 UTC 
not propriety action done with this link,
so If it not intentional and not used than fore sure we are fine with removing it.
Comment 17 errata-xmlrpc 2023-05-16 09:11:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3025