|
|
e3ffab |
From ec381c10fc6080b1e2594cbee857725c886566d4 Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
e3ffab |
Date: Tue, 21 Oct 2014 14:56:28 +0200
|
|
|
e3ffab |
Subject: [PATCH] Do not allow installation in FIPS mode
|
|
|
e3ffab |
|
|
|
e3ffab |
https://bugzilla.redhat.com/show_bug.cgi?id=1131570
|
|
|
e3ffab |
---
|
|
|
e3ffab |
install/tools/ipa-replica-install | 5 +++++
|
|
|
e3ffab |
install/tools/ipa-server-install | 5 +++++
|
|
|
e3ffab |
install/tools/ipactl | 6 ++++++
|
|
|
e3ffab |
ipa-client/ipa-install/ipa-client-install | 4 ++++
|
|
|
e3ffab |
4 files changed, 20 insertions(+)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
|
|
|
e3ffab |
index d3b520abf635ccc324b74bca31f241960a33d950..70190b718965518803b9767325d58f9526c32f7c 100755
|
|
|
e3ffab |
--- a/install/tools/ipa-replica-install
|
|
|
e3ffab |
+++ b/install/tools/ipa-replica-install
|
|
|
e3ffab |
@@ -457,6 +457,11 @@ def main():
|
|
|
e3ffab |
if os.geteuid() != 0:
|
|
|
e3ffab |
sys.exit("\nYou must be root to run this script.\n")
|
|
|
e3ffab |
|
|
|
e3ffab |
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
|
|
|
e3ffab |
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
|
|
|
e3ffab |
+ if f.read().strip() != '0':
|
|
|
e3ffab |
+ sys.exit("Cannot install IPA server in FIPS mode")
|
|
|
e3ffab |
+
|
|
|
e3ffab |
standard_logging_setup(log_file_name, debug=options.debug)
|
|
|
e3ffab |
root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
|
|
|
e3ffab |
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
|
|
|
e3ffab |
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
|
|
|
e3ffab |
index 4fd4d8171ab89b805449a6625e9c5ea2d0921fa5..3b748aaab37fa8806ebc7a4983ed97cc8243a9c4 100755
|
|
|
e3ffab |
--- a/install/tools/ipa-server-install
|
|
|
e3ffab |
+++ b/install/tools/ipa-server-install
|
|
|
e3ffab |
@@ -662,6 +662,11 @@ def main():
|
|
|
e3ffab |
if os.getegid() != 0:
|
|
|
e3ffab |
sys.exit("Must be root to set up server")
|
|
|
e3ffab |
|
|
|
e3ffab |
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
|
|
|
e3ffab |
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
|
|
|
e3ffab |
+ if f.read().strip() != '0':
|
|
|
e3ffab |
+ sys.exit("Cannot install IPA server in FIPS mode")
|
|
|
e3ffab |
+
|
|
|
e3ffab |
tasks.check_selinux_status()
|
|
|
e3ffab |
|
|
|
e3ffab |
signal.signal(signal.SIGTERM, signal_handler)
|
|
|
e3ffab |
diff --git a/install/tools/ipactl b/install/tools/ipactl
|
|
|
e3ffab |
index b1b0b6e26fa97cdc953c86eee22e160782b57379..56d24b0dab1770d23348f4c60db62bab3bd508d4 100755
|
|
|
e3ffab |
--- a/install/tools/ipactl
|
|
|
e3ffab |
+++ b/install/tools/ipactl
|
|
|
e3ffab |
@@ -480,6 +480,12 @@ def main():
|
|
|
e3ffab |
elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
|
|
|
e3ffab |
raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
|
|
|
e3ffab |
|
|
|
e3ffab |
+ if (args[0] in ('start', 'restart') and
|
|
|
e3ffab |
+ os.path.exists('/proc/sys/crypto/fips_enabled')):
|
|
|
e3ffab |
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
|
|
|
e3ffab |
+ if f.read().strip() != '0':
|
|
|
e3ffab |
+ raise IpactlError("Cannot start IPA server in FIPS mode")
|
|
|
e3ffab |
+
|
|
|
e3ffab |
# check if IPA is configured at all
|
|
|
e3ffab |
try:
|
|
|
e3ffab |
check_IPA_configuration()
|
|
|
e3ffab |
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
|
|
|
e3ffab |
index 75a1711a7e1fdc9359ad02d55ad94d65af51ea93..53d969ee0b607a4392a008daebaf3befc0785084 100755
|
|
|
e3ffab |
--- a/ipa-client/ipa-install/ipa-client-install
|
|
|
e3ffab |
+++ b/ipa-client/ipa-install/ipa-client-install
|
|
|
e3ffab |
@@ -2865,6 +2865,10 @@ def main():
|
|
|
e3ffab |
|
|
|
e3ffab |
if not os.getegid() == 0:
|
|
|
e3ffab |
sys.exit("\nYou must be root to run ipa-client-install.\n")
|
|
|
e3ffab |
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
|
|
|
e3ffab |
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
|
|
|
e3ffab |
+ if f.read().strip() != '0':
|
|
|
e3ffab |
+ sys.exit("Cannot install IPA client in FIPS mode")
|
|
|
e3ffab |
tasks.check_selinux_status()
|
|
|
e3ffab |
logging_setup(options)
|
|
|
e3ffab |
root_logger.debug(
|
|
|
e3ffab |
--
|
|
|
e3ffab |
2.1.0
|
|
|
e3ffab |
|