Bug 2026657

Summary: Running fips-mode-setup --enable forces "base" FIPS crypto policy, when module is enabled
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: crypto-policiesAssignee: Alexander Sosedkin <asosedki>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: jjaburek, jpazdziora, omoris, vpolasek
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: crypto-policies-20220203-1.gitf03e75e.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:54:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2021-11-25 12:36:56 UTC 
Description of problem:

When fips-mode-setup --enable is run without first checking fips-mode-setup --is-enabled or --check, the crypto policy is set to FIPS, even if a FIPS policy with module (like FIPS:OSPP) is already set.

Version-Release number of selected component (if applicable):

crypto-policies-scripts-20210922-1.git6fb269b.el9.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Install system with fips=1 kernel command-line parameter.
2. Check that FIPS mode is enabled:
   # fips-mode-setup --check
   FIPS mode is enabled.
3. Set crypto policy to FIPS with module:
   # update-crypto-policies --no-reload --set FIPS:OSPP
   Setting system policy to FIPS:OSPP
   Note: System-wide crypto policies are applied on application start-up.
   It is recommended to restart the system for the change of policies
   to fully take place.
4. Check the configured crypto policy:
   # update-crypto-policies --show && update-crypto-policies --check
   FIPS:OSPP
   The configured policy matches the generated policy
5. Check that FIPS mode is enabled:
   # fips-mode-setup --check
   FIPS mode is enabled.
6. Run fips-mode-setup --enable again, maybe to be extra sure, or by mistake:
   # fips-mode-setup --enable
   Setting system policy to FIPS
   Note: System-wide crypto policies are applied on application start-up.
   It is recommended to restart the system for the change of policies
   to fully take place.
   FIPS mode will be enabled.
   Please reboot the system for the setting to take effect.
7. Check the crypto policy now:
   # update-crypto-policies --show

Actual results:

FIPS

Expected results:

FIPS:OSPP

Additional info:

In the same way fips-mode-setup --check reports success when it finds FIPS:OSPP crypto policy configured, --enable should preserve the policy module if the base policy is FIPS.
Comment 10 errata-xmlrpc 2022-05-17 15:54:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: crypto-policies), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3953