Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-93444

fapolicyd doesn't support RPM shipping files signed with SHA-512

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.6
    • fapolicyd
    • No
    • Important
    • rhel-security-selinux
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      When installing a RPM package that signs its files with SHA-512 instead of default SHA-256, the Trust Database contains an invalid SHA-256 checksum for the files, since it's the beginning of the SHA-512 checksum, as shown in the example below:

      # rpm -q --dump hello
/usr/bin/hello.sh 29 1748246837 218a3f4cd8f4a9f80ff440b6a02bf0a343a8cfd7a0ddd1c0239b1a7a7826509479cf70b07b537fdd15f5e14ed63c293827cb6edb06ef5d2b7d77a12d1c0618f2 0100644 root root 0 0 0 X

# fapolicyd-cli --dump-db | grep /usr/bin/hello.sh
rpmdb /usr/bin/hello.sh 29 218a3f4cd8f4a9f80ff440b6a02bf0a343a8cfd7a0ddd1c0239b1a7a78265094

      This makes RPM having SHA-512 checksums be incompatible with fapolicyd.

      Reproducer package attached for convenience + spec file to build such package

        1. hello.tar
          20 kB
        2. hello-0.0.1-1.el9.sha512.noarch.rpm
          7 kB

              rhn-engineering-plautrba Petr Lautrbach
              rhn-support-rmetrich Renaud Métrich
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: