-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-8.8.0
-
None
-
None
-
None
-
1
-
rhel-sst-container-tools
-
3
-
False
-
-
None
-
RUN 252
-
Pass
-
None
-
None
When running an UBI container on a FIPS host, /etc/crypto-policies/back-ends is bind-mounted over.
Not sure from where, but that's FIPS data in there.
# podman run -it ubi9 [root@bc56e635fbee /]# mount|grep crypto overlay on /etc/crypto-policies/back-ends type overlay (rw,relatime,context="system_u:object_r:container_file_t:s0:c636,c921",lowerdir=/var/lib/containers/storage/overlay/l/G7CUCLS6D56WWU7OYYIYLT4R3U,upperdir=/var/lib/containers/storage/overlay/084759a59b970dc2b76928d9f7ce8318cbf5f5b2fc090b03f17233c94f01e576/diff,workdir=/var/lib/containers/storage/overlay/084759a59b970dc2b76928d9f7ce8318cbf5f5b2fc090b03f17233c94f01e576/work,metacopy=on) # grep 448 /etc/crypto-policies/back-ends/gnutls.config # nothing, as it should be in FIPS mode
But /etc/crypto-policies/config isn't overridden in any way:
# cat /etc/crypto-policies/config DEFAULT
so, updating or re-installing crypto-policies-scripts causes it to switch to a more lax DEFAULT policy:
https://pkgs.devel.redhat.com/cgit/rpms/crypto-policies/tree/crypto-policies.spec?h=rhel-9-main&id=da28b9c5ae158cc73e018a34792401a310929324#n183
[root@bc56e635fbee /]# dnf reinstall crypto-policies-scripts ... [root@bc56e635fbee /]# grep 448 /etc/crypto-policies/back-ends/gnutls.config
right over the bind-mount, and that's a problem, especially for UBI 8 containers.
One way to solve that would be to bind-mount FIPS over /etc/crypto-policies/config as well
- links to
-
RHSA-2023:122557
container-tools:rhel8 security, bug fix, and enhancement update
