Be more thorough in `fips-mode-setup --disable`, be explicit that disabling FIPS on Red Hat Enterprise Linux is unsupported

What were you trying to do that didn't work?

As per https://bugzilla.redhat.com/show_bug.cgi?id=1654645, fips-mode-setup --disable does not correctly disable FIPS mode on Red Hat Enterprise Linux but in fact leaving it partially disabled. With that state, the customer has either a partially disabled FIPS system or needs to run manual activity to properly clean it up and have it no longer run under FIPS.

Given the above and specifically in Red Hat OpenShift Container Platform 4, where disabling FIPS mode is a known request, it would be appreciated if Red Hat Enterprise Linux could provide a supported mechanism to disable FIPS. This would allow customers to revert a system that once was enabled with FIPS and more important, would provide Red Hat OpenShift Container Platform 4 a way to implementation an approach to disable FIPS, using Red Hat Enterprise Linux provided and supported tooling.

Also interesting, while there might have been some limitation to disable FIPS in early Implementation Guides, it does not appear to be available and hence should be reconsidered.

Please provide the package NVR for which bug is seen:

crypto-policies

How reproducible:

Always

Steps to reproduce

1. Enable fips mode: fips-mode-setup --enable
2. Reboot
3. Disable fips mode: fips-mode-setup --disable
4. Reboot
5. Check dracut configuration, initramfs and /etc/system-fips

Expected results

FIPS mode to be completely disabled and not leaving parts behind that are still enabled/in enforcing mode. Support the mechanism to disable FIPS mode.

Actual results

Red Hat Enterprise Linux is left in a state, where FIPS is partially disabled and the activity is even unsupported. It would be nice to have the process take care of disabling FIPS properly and also have the approach supported.