786191 – selinux-policy update shows error parsing file obj_perm_sets.spt in FIPS mode

Bug 786191 - selinux-policy update shows error parsing file obj_perm_sets.spt in FIPS mode

Summary: selinux-policy update shows error parsing file obj_perm_sets.spt in FIPS mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	policycoreutils
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	787605 953862
TreeView+	depends on / blocked

Reported:	2012-01-31 17:09 UTC by Miroslav Vadkerti
Modified:	2013-04-19 11:08 UTC (History)
CC List:	7 users (show)
Fixed In Version:	policycoreutils-2.0.83-19.24.el6
Doc Type:	Bug Fix
Doc Text:	When installing packages on the system in (Federal Information Processing Standard (FIPS) mode, parsing errors could occur and installation failed. This was caused by the "/usr/lib64/python2.7/site-packages/sepolgen/yacc.py" parser, which used MD5 checksums that are not supported in FIPS mode. This update modifies the parser to use SHA-256 checksums and installation process is now successful.
Clone Of:
Clones:	953862 (view as bug list)
Environment:
Last Closed:	2012-06-20 15:10:33 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0969	0	normal	SHIPPED_LIVE	policycoreutils bug fix update	2012-06-19 21:11:56 UTC

Description Miroslav Vadkerti 2012-01-31 17:09:54 UTC

Description of problem:
When updating EL6.2 GA selinux policy to selinux-policy-3.7.19-126.el6_2.4
in FIPS mode I see this error

1:selinux-policy         ########################################### [  9%]
error parsing headers
error parsing file /usr/share/selinux/devel/include/support/obj_perm_sets.spt: error:060800A0:digital envelope routines:EVP_DigestInit_ex:unknown cipher

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-126.el6_2.4

How reproducible:
Should be 100% in our test scenario (see additional info)

Steps to Reproduce:
1. Install RHEL6.2 GA and switch to FIPS mode
2. Update 
3.
  
Actual results:
Error when updating

Expected results:
No error

Additional info:
Please note this bug was spotted during installation with custom kickstart we use for Common Criteria testing. The installation is in FIPS mode.

Comment 3 Daniel Walsh 2012-01-31 19:27:11 UTC

Steven? Eric? Any ideas?

Comment 4 Stephen Smalley 2012-01-31 20:53:37 UTC

Error is from sepolgen-ifgen.
Digging a bit further, appears to trace back to sepolgen/yacc.py, which uses hashlib.md5().  fips mode kills md5?
Bug 689387 looks similar but for a different program that uses md5.

Comment 5 Daniel Walsh 2012-01-31 22:11:25 UTC

So if we change this code to hashlib.sha256() it might work...

It seems to work on Rawhide.

Miroslav Vadkerti

Can you change the code and try it again.

# sed -i 's/md5/sha256/g' /usr/lib64/python2.7/site-packages/sepolgen/yacc.py
# yum reinstall selinux-policy-targeted

Comment 6 Miroslav Vadkerti 2012-02-01 09:05:32 UTC

I confirm that the change fixes the issue:

# sed -i 's/md5/sha256/g' /usr/lib64/python2.6/site-packages/sepolgen/yacc.py
# yum reinstall selinux-policy-*
...
Running Transaction
  Installing : selinux-policy-3.7.19-126.el6_2.4.noarch                                                                                                                                                   1/3 
  Installing : selinux-policy-targeted-3.7.19-126.el6_2.4.noarch                                                                                                                                          2/3 
  Installing : selinux-policy-mls-3.7.19-126.el6_2.4.noarch                                                                                                                                               3/3 

Installed:
  selinux-policy.noarch 0:3.7.19-126.el6_2.4                      selinux-policy-mls.noarch 0:3.7.19-126.el6_2.4                      selinux-policy-targeted.noarch 0:3.7.19-126.el6_2.4                     

Complete!

Comment 7 Daniel Walsh 2012-02-01 19:16:46 UTC

Fixed in policycoreutils-2.0.83-19.20.el6_2

Comment 10 Miroslav Svoboda 2012-02-14 17:51:28 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When installing packages on the system in (Federal Information Processing Standard (FIPS) mode, parsing errors could occur and installation failed. This was caused by the "/usr/lib64/python2.7/site-packages/sepolgen/yacc.py" parser, which used MD5 checksums that are not supported in FIPS mode. This update modifies the parser to use SHA-256 checksums and installation process is now successful.

Comment 16 Miroslav Grepl 2012-04-18 07:59:54 UTC

Fixed in policycoreutils-2.0.83-19.24.el6

Comment 19 errata-xmlrpc 2012-06-20 15:10:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0969.html

Note You need to log in before you can comment on or make changes to this bug.