Description of problem: Reported by Rich Megginson >>> modutil -dbdir /etc/dirsrv/slapd-inst -fips true >>> FIPS mode enabled. >>> >>> When FIPS mode is disabled, everything works fine, no AVCs. >>> >>> Bob/Elio - any idea why this is happening? Has NSS FIPS mode been >>> tested with SELinux set to Enforcing? >> NSS is launching prelink in FIPS mode. NSS needs to validate the >> shared >> library, but prelink may have modified it. NSS needs to launch prelink >> to get the unmodified shared library bits to validate in FIPS mode. >> You'll need to add whatever policy you need to allow /usr/sbin/prelink >> to run if you are using NSS. > I can't even test this on F-14 and later (NSS 3.12.10) > $ mkdir /var/tmp/junk > $ certutil -d /var/tmp/junk -N > ##### create database with 8 character password > $ modutil -dbdir /var/tmp/junk -fips true > security library: invalid arguments. > ERROR: Unable to switch FIPS modes. > # modutil -force gives the same error > # setenforce Permissive - gives the same error > I get this same error on both F-14 and F-16 (using NSS 3.12.10) - the > same set of commands work fine on RHEL 6 (NSS 3.12.9) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. mkdir /var/tmp/junk 2. certutil -d /var/tmp/junk -N (enter a password twice as prompted with) 3. modutil -dbdir /var/tmp/junk -fips true Actual results: ERROR: Unable to switch FIPS modes. Expected results: FIPS mode enabled. Additional info:
The modutil tool does the mode switch to/from FIPS mode by unloading the sofotoken module and loading it back again. When the module is loaded in FIPS mode it runs a series of power up tests. Among them is a self-integrity check. The self-intergity cheack is failing and that makes the switch to FIPS mode fail. With the rebase of nss-softokn from that from nss-3.12.9 to the one from nss 3.12.10 the Fedora patch that enabanles prelinking support was updated incorrectly - an incomplete update. That's what caused the self-verification code fail.
nss-softokn-3.12.10-5.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/nss-softokn-3.12.10-5.fc14
nss-softokn-3.12.10-5.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/nss-softokn-3.12.10-5.fc15
nss-softokn-3.12.10-6.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/nss-softokn-3.12.10-6.fc16
Package nss-softokn-3.12.10-6.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-softokn-3.12.10-6.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14328 then log in and leave karma (feedback).
nss-softokn-3.12.10-6.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
nss-softokn-3.12.10-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.