-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.21.0
-
None
-
None
-
False
-
-
None
-
Low
-
None
-
ppc64le
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
On an RHCOS system (RHEL 9 based), running `fips-mode-setup --check` returns a misleading "Inconsistent state detected" message. It claims the installation of FIPS modules is not completed, despite FIPS being enabled in the kernel and crypto policies being set correctly. This appears to be a false positive caused by the tool checking for the existence of `/etc/system-fips`. On RHCOS, FIPS initialization is handled via dracut (`rhcos-fips.sh`) rather than the standard RHEL `fips-finish-install` process, so `/etc/system-fips` is not populated in the root filesystem as the tool expects.
Version-Release number of selected component (if applicable):
4.21.0-ec.3
How reproducible:
Multiple times
Steps to Reproduce:
2. Access a FIPS-enabled RHCOS node (e.g., core@master-0).
3. Execute the check command: `sudo fips-mode-setup --check`
Actual results:
Actual results:
The command returns an error indicating inconsistent state: `sudo fips-mode-setup --check` Installation of FIPS modules is not completed. FIPS mode is enabled. Inconsistent state detected. The system is actually in FIPS mode, confirming that: 1. `/proc/sys/crypto/fips_enabled` is `1` 2. `/etc/crypto-policies/state/current` is set correctly. The failure occurs in `/usr/bin/fips-mode-setup` because `/etc/system-fips` is missing. The script logic relies on this file to verify installation completion:
Expected results:
fips-mode-setup --check shows correct results
Additional info:
n/a
