Bug 2129383

Summary:	fips-mode-setup --enable does not work - it always set the policy to your current one
Product:	Red Hat Enterprise Linux 9	Reporter:	Zdenek Dohnal <zdohnal>
Component:	crypto-policies	Assignee:	Alexander Sosedkin <asosedki>
Status:	CLOSED NOTABUG	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	9.2
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-10-04 15:08:10 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Zdenek Dohnal 2022-09-23 14:27:57 UTC

Description of problem:
If I call 'fips-mode-setup --enable' in my test, the current crypto policy - DEFAULT - is chosen instead of FIPS.

Test link http://artifacts.osci.redhat.com/baseos-ci/brew-build/47/89/88/47898875/https___baseos-jenkins.rhev-ci-vms.eng.rdu2.redhat.com-ci-artemis/33430/tmpM7PD3f.01/recipes/1/tasks/7/logs/taskout.log

:: [ 13:59:48 ] :: [  BEGIN   ] :: Running 'fips-mode-setup --check'
Installation of FIPS modules is not completed.
FIPS mode is disabled.
:: [ 13:59:48 ] :: [   PASS   ] :: Command 'fips-mode-setup --check' (Expected 0, got 0)
:: [ 13:59:48 ] :: [  BEGIN   ] :: Start FIPS mode :: actually running 'fips-mode-setup --enable'
Kernel initramdisks are being regenerated. This might take some time.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.

...reboot...

:: [ 14:01:17 ] :: [  BEGIN   ] :: FIPS mode is enabled :: actually running 'fips-mode-setup --is-enabled'
:: [ 14:01:18 ] :: [   FAIL   ] :: FIPS mode is enabled (Expected 0, got 1)
:: [ 14:01:18 ] :: [  BEGIN   ] :: Running 'fips-mode-setup --check'
FIPS mode is disabled.
Inconsistent state detected.
:: [ 14:01:19 ] :: [   FAIL   ] :: Command 'fips-mode-setup --check' (Expected 0, got 1)

If I connect to the machine and try it manually:

# fips-mode-setup --enable
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.

# reboot

After reboot:

# fips-mode-setup --check
FIPS mode is disabled.
Inconsistent state detected.

Version-Release number of selected component (if applicable):
crypto-policies-20220815-1.git0fbe86f.el9.noarch

How reproducible:
always

Steps to Reproduce:
1. fips-mode-setup --enable
2. reboot
3. fips-mode-setup --check

Actual results:
Disabled FIPS after reboot


Expected results:
Enabled FIPS after reboot