Description of problem: post install which creates a link to the chosen policy point to wrong link (->/usr/share/crypto-policies/DEFAULT/..) Version-Release number of selected component (if applicable): crypto-policies-20200713-1.git51d1222.el8.noarch.rpm How reproducible: Steps to Reproduce: 1. After fresh install. 2. 3. Actual results: if policy is DEFAULT ls -l /etc/crypto-policies/back-ends/.config results with /usr/share/crypto-policies/DEFAULT/. Expected results: ls -l /etc/crypto-policies/back-ends/.config results with /usr/share/crypto-policies/DEFAULT/.. Additional info: Verified the issue is indeed lua script: removing /etc/crypto-policies/config and rebuild rpm with postinstall scriptlet (using <lua>): if not posix.access("/etc/crypto-policies/config") then local policy = "DEFAULT" local cf = io.open("/proc/sys/crypto/fips_enabled", "r") if cf then if cf:read() == "1" then policy = "FIPS" end cf:close() end cf = io.open("/etc/crypto-policies/config", "w") if cf then cf:write(policy.."\n") cf:close() end cf = io.open("/etc/crypto-policies/state/current", "w") if cf then cf:write(policy.."\n") cf:close() end local policypath = "/usr/share/crypto-policies/"..policy local cff = io.open("/tmp/trace_cp_links", "w+") for fn in posix.files(policypath) do local backend = fn:gsub(".*/", ""):gsub("%..*", "") local cfgfn = "/etc/crypto-policies/back-ends/"..backend..".config" cff:write(cfgfn.."\n") posix.unlink(cfgfn) posix.symlink(policypath.."/"..fn, cfgfn) cff:write("->"..policypath.."/"..fn.."\n") end cff:close() end [root@localhost ~]# cat /tmp/trace_cp_links can be observed that apparently that links to /etc/crypto-policies/back-ends/.config created twice and second time with wrong link /etc/crypto-policies/back-ends/.config ->/usr/share/crypto-policies/DEFAULT/. /etc/crypto-policies/back-ends/.config ->/usr/share/crypto-policies/DEFAULT/.. /etc/crypto-policies/back-ends/bind.config ->/usr/share/crypto-policies/DEFAULT/bind.txt /etc/crypto-policies/back-ends/gnutls.config ->/usr/share/crypto-policies/DEFAULT/gnutls.txt /etc/crypto-policies/back-ends/java.config ->/usr/share/crypto-policies/DEFAULT/java.txt /etc/crypto-policies/back-ends/krb5.config ->/usr/share/crypto-policies/DEFAULT/krb5.txt /etc/crypto-policies/back-ends/libreswan.config ->/usr/share/crypto-policies/DEFAULT/libreswan.txt /etc/crypto-policies/back-ends/libssh.config ->/usr/share/crypto-policies/DEFAULT/libssh.txt /etc/crypto-policies/back-ends/nss.config ->/usr/share/crypto-policies/DEFAULT/nss.txt /etc/crypto-policies/back-ends/openssh.config ->/usr/share/crypto-policies/DEFAULT/openssh.txt /etc/crypto-policies/back-ends/opensshserver.config ->/usr/share/crypto-policies/DEFAULT/opensshserver.txt /etc/crypto-policies/back-ends/openssl.config ->/usr/share/crypto-policies/DEFAULT/openssl.txt /etc/crypto-policies/back-ends/opensslcnf.config ->/usr/share/crypto-policies/DEFAULT/opensslcnf.txt I did not verified this but look like '.' local folder is returned by posix.files(policypath) and it creates the wrong link: and it creates the wrong link: this is how I tested. postinstall scriptlet (using <lua>): if posix.access("/etc/crypto-policies/config") then local policy = "DEFAULT" local cf = io.open("/proc/sys/crypto/fips_enabled", "r") if cf then if cf:read() == "1" then policy = "FIPS" end cf:close() end cf = io.open("/etc/crypto-policies/config", "w") if cf then cf:write(policy.."\n") cf:close() end cf = io.open("/etc/crypto-policies/state/current", "w") if cf then cf:write(policy.."\n") cf:close() end local policypath = "/usr/share/crypto-policies/"..policy local cff = io.open("/tmp/yyyy", "w+") for fn in posix.files(policypath) do local backend = fn:gsub(".*/", ""):gsub("%..*", "") local cfgfn = "/etc/crypto-policies/back-ends/"..backend..".config" cff:write(cfgfn.."\n") posix.unlink(cfgfn) posix.symlink(policypath.."/"..fn, cfgfn) cff:write("->"..policypath.."/"..fn.."\n") end cff:close() end [root@localhost ~]# cat /tmp/yyyy /etc/crypto-policies/back-ends/.config ->/usr/share/crypto-policies/DEFAULT/. /etc/crypto-policies/back-ends/.config ->/usr/share/crypto-policies/DEFAULT/.. /etc/crypto-policies/back-ends/bind.config ->/usr/share/crypto-policies/DEFAULT/bind.txt /etc/crypto-policies/back-ends/gnutls.config ->/usr/share/crypto-policies/DEFAULT/gnutls.txt /etc/crypto-policies/back-ends/java.config ->/usr/share/crypto-policies/DEFAULT/java.txt /etc/crypto-policies/back-ends/krb5.config ->/usr/share/crypto-policies/DEFAULT/krb5.txt /etc/crypto-policies/back-ends/libreswan.config ->/usr/share/crypto-policies/DEFAULT/libreswan.txt /etc/crypto-policies/back-ends/libssh.config ->/usr/share/crypto-policies/DEFAULT/libssh.txt /etc/crypto-policies/back-ends/nss.config ->/usr/share/crypto-policies/DEFAULT/nss.txt /etc/crypto-policies/back-ends/openssh.config ->/usr/share/crypto-policies/DEFAULT/openssh.txt /etc/crypto-policies/back-ends/opensshserver.config ->/usr/share/crypto-policies/DEFAULT/opensshserver.txt /etc/crypto-policies/back-ends/openssl.config ->/usr/share/crypto-policies/DEFAULT/openssl.txt /etc/crypto-policies/back-ends/opensslcnf.config ->/usr/share/crypto-policies/DEFAULT/opensslcnf.txt
I'm not sure whether .config creation is intentional at all, I feel like its presence stems from an oversight of the fact that `posix.files` yields `.`/`..` as well. Would you be fine with a solution I've applied in https://src.fedoraproject.org/rpms/crypto-policies/blob/master/f/crypto-policies.spec#_124, which prevents any `.config` link from being created in the first place?
not propriety action done with this link, so If it not intentional and not used than fore sure we are fine with removing it.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3025