Bug 1658007 - Warn admin that daemons/services after change in system crypto policy have to be restarted
Summary: Warn admin that daemons/services after change in system crypto policy have to...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: crypto-policies
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Tomas Mraz
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-11 02:38 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-06-13 23:08 UTC (History)
2 users (show)

Fixed In Version: crypto-policies-20181217-1.git9a35207.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-13 23:08:36 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2018-12-11 02:38:01 UTC
After systemwide crypto policies are updated, all daemons and services which follow the policy need to be restarted.

It would be nice to show an info, message on policy-update to remind admins to do the same. Something like:

[huzaifas@babylon ~]$ sudo update-crypto-policies --set FUTURE
Setting system policy to FUTURE
Note: Please restart all services using the system-wide crypto policies for effect to take place.

Comment 1 Tomas Mraz 2018-12-11 07:17:10 UTC
I'd say something like the following message would be more appropriate:

Note: System-wide crypto policies are applied on service startup.
It is recommended to restart the system for the change of policies
to fully take place.

Ondrej, would you give qa_ack+?

Comment 2 Ondrej Moriš 2018-12-11 13:21:11 UTC
I would just prefer not to advise system restart but rather restarting "all services using the system-wide crypto policies" only (or both). Recommending system update just reminds me other operating system... but I am OK with any message.

Acceptance Criteria:

 * When crypto-policy level is changed, warning message advising system/service restart is shown.

Comment 3 Tomas Mraz 2018-12-11 14:16:39 UTC
The problem with telling the user to restart system services is that we cannot know what all the system services that have to be restarted are.

There also might be services that are not easily restartable (i.e. dbus, user session, ... although these are probably not affected currently by crypto policies).

We can try to describe the situation in the manual page.
On the other hand changing the system-wide crypto policy level is operation that normally should not be performed more times than just after (or during) the system installation so I do not think this is a too big issue.

Comment 4 Huzaifa S. Sidhpurwala 2018-12-11 16:29:29 UTC
Maybe the warning message should ask the admin to restart services and mention "please refer the man page for more details"

Comment 5 Tomas Mraz 2018-12-11 16:40:44 UTC
But we will not answer the logical question "which services" there either.

Comment 7 Ondrej Moriš 2018-12-19 12:59:53 UTC
Successfully verified.

NEW (crypto-policies-20181217-1.git9a35207.el8)
===============================================
# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

I agree that we cannot be more specific about what services or applications should be restarted.

Comment 8 Huzaifa S. Sidhpurwala 2018-12-20 04:45:16 UTC
(In reply to Ondrej Moriš from comment #7)
> Successfully verified.
> 
> NEW (crypto-policies-20181217-1.git9a35207.el8)
> ===============================================
> # update-crypto-policies --set DEFAULT
> Setting system policy to DEFAULT
> Note: System-wide crypto policies are applied on application start-up.
> It is recommended to restart the system for the change of policies
> to fully take place.
> 
> I agree that we cannot be more specific about what services or applications
> should be restarted.

+1. Thank you for the quick turnaround time!


Note You need to log in before you can comment on or make changes to this bug.