Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-79468

FIPS mode detection doesn't work for sandboxed service

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.5
    • systemd
    • None
    • No
    • Moderate
    • rhel-systemd
    • ssg_core_services
    • 5
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      dirsrv service uses systemd sandboxing and has the following options enabled, among others:

      ProtectKernelTunables=true
ProtectControlGroups=true

      During startup ns-slapd checks if it's running in FIPS mode by calling PK11_IsFIPS() from nss, which tries to read contents of /proc/sys/crypto/fips_enabled.

      This works on RHEL 10 (systemd-257-7.el10.x86_64), but fails on RHEL 9.5 (systemd-252-46.el9_5.2.x86_64).
      On F39+ (systemd-254.20-1.fc39.x86_64) it works, but SELinux prevents it, I see the following denial:

      ----
time->Thu Feb 13 09:29:56 2025
type=PROCTITLE msg=audit(1739456996.530:1411): proctitle="(ns-slapd)"
type=SYSCALL msg=audit(1739456996.530:1411): arch=c000003e syscall=165 success=no exit=-13 a0=7fffc798dcb0 a1=55ab9ca7cdf0 a2=0 a3=5000 items=0 ppid=1 pid=6780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ns-slapd)" exe="/usr/lib/systemd/systemd-executor" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1739456996.530:1411): avc:  denied  { mounton } for  pid=6780 comm="(ns-slapd)" path="/run/systemd/mount-rootfs/proc/sys/crypto/fips_enabled" dev="proc" ino=34925 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=0

      I suspect this was fixed in systemd-254 with https://github.com/systemd/systemd/pull/28144

      What is the impact of this issue to you?

      FIPS detection doesn't work correctly, resulting in a misconfiguration.

      Please provide the package NVR for which the bug is seen:

      systemd-252-46.el9_5.2.x86_64

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. On RHEL 9.5 in FIPS mode run 
        dnf install nss-devel nspr-devel gcc -y

cat > /etc/systemd/system/check_fips.service << EOF
[Unit]
Description=FIPS check

[Service]
Type=oneshot
ExecStart=/usr/local/bin/check_fips
ProtectKernelTunables=true
ProtectControlGroups=true
EOF

cat > check_fips.c << EOF
// gcc -o check_fips check_fips.c -I/usr/include/nss3 -I/usr/include/nspr4 -lnss3 -lnspr4
#include <stdio.h>
#include <nss.h>
#include <pk11func.h>


int main() {
    if (NSS_NoDB_Init(NULL) != SECSuccess) {
        fprintf(stderr, "Failed to initialize NSS\n");
        return 1;
    }

    if (PK11_IsFIPS()) {
        printf("NSS is in FIPS mode\n");
    } else {
        printf("NSS is NOT in FIPS mode\n");
    }

    NSS_Shutdown();
    return 0;
}
EOF

gcc -o /usr/local/bin/check_fips check_fips.c -I/usr/include/nss3 -I/usr/include/nspr4 -lnss3 -lnspr4

systemctl daemon-reload
systemctl start check_fips
journalctl --no-hostname _COMM=check_fips

      Expected results

      Feb 14 04:57:54 check_fips[2217]: NSS is in FIPS mode

      Actual results

      Feb 14 04:57:06 check_fips[775]: NSS is NOT in FIPS mode

              dtardon@redhat.com David Tardon
              vashirov@redhat.com Viktor Ashirov
              systemd maint mailing list systemd maint mailing list
              Frantisek Sumsal Frantisek Sumsal
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: