diff --git a/.crypto-policies.metadata b/.crypto-policies.metadata index 85b905d..76ab63f 100644 --- a/.crypto-policies.metadata +++ b/.crypto-policies.metadata @@ -1 +1 @@ -cd143a381b920b2175b5faac4b0a9a03f2d9c541 SOURCES/crypto-policies-git21ffdc8.tar.gz +bca7f9bff61fcb2c905a139b90575e8623744dc4 SOURCES/crypto-policies-git23e1bf1.tar.gz diff --git a/.gitignore b/.gitignore index ecd3135..3a0975e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/crypto-policies-git21ffdc8.tar.gz +SOURCES/crypto-policies-git23e1bf1.tar.gz diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index 2c58158..28da638 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -1,17 +1,19 @@ -%global git_date 20190613 -%global git_commit_hash 21ffdc8 +%global git_date 20191128 +%global git_commit_hash 23e1bf1 + +%global _python_bytecompile_extra 0 Name: crypto-policies Version: %{git_date} -Release: 1.git%{git_commit_hash}%{?dist} -Summary: Systemwide crypto policies +Release: 2.git%{git_commit_hash}%{?dist} +Summary: System-wide crypto policies License: LGPLv2+ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies # This is a tarball of the git repository without the .git/ # directory. -# For RHEL-8 we use the upstream branch next-default. +# For RHEL-8 we use the upstream branch rhel8. Source0: crypto-policies-git%{git_commit_hash}.tar.gz BuildArch: noarch @@ -34,9 +36,9 @@ Requires: sed Requires(post): coreutils Requires(post): grep Requires(post): sed -# Temporarily switched off -# Conflicts: nss < 3.44.0 +Conflicts: nss < 3.44.0 Conflicts: libreswan < 3.28 +Conflicts: openssh < 8.0p1 # used by fips-mode-setup Recommends: grubby @@ -52,34 +54,47 @@ to enable or disable the system FIPS mode. %prep %setup -q -n %{name} -# Temporarily remove CURVE25519 from the NSS config -for f in back-ends/nss.pl tests/outputs/*-nss.txt ; do sed -i -E 's/CURVE25519:?//' $f ; done - - %build -make %{?_smp_mflags} +%make_build %install mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/ +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ mkdir -p -m 755 %{buildroot}%{_bindir} make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +# Create back-end configs for mounting with read-only /etc/ +for d in LEGACY DEFAULT FUTURE FIPS ; do + mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d + for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do + ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config + done +done + +%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python + %check make check %{?_smp_mflags} -%post -%{_bindir}/update-crypto-policies --no-check >/dev/null +%posttrans +%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : %files %dir %{_sysconfdir}/crypto-policies/ %dir %{_sysconfdir}/crypto-policies/back-ends/ +%dir %{_sysconfdir}/crypto-policies/state/ %dir %{_sysconfdir}/crypto-policies/local.d/ +%dir %{_sysconfdir}/crypto-policies/policies/ +%dir %{_sysconfdir}/crypto-policies/policies/modules/ %dir %{_datarootdir}/crypto-policies/ %config(noreplace) %{_sysconfdir}/crypto-policies/config @@ -95,6 +110,7 @@ make check %{?_smp_mflags} %ghost %{_sysconfdir}/crypto-policies/back-ends/krb5.config %ghost %{_sysconfdir}/crypto-policies/back-ends/openjdk.config %ghost %{_sysconfdir}/crypto-policies/back-ends/libreswan.config +%ghost %{_sysconfdir}/crypto-policies/back-ends/libssh.config %{_bindir}/update-crypto-policies %{_bindir}/fips-mode-setup @@ -103,18 +119,49 @@ make check %{?_smp_mflags} %{_mandir}/man8/update-crypto-policies.8* %{_mandir}/man8/fips-mode-setup.8* %{_mandir}/man8/fips-finish-install.8* -%{_datarootdir}/crypto-policies/LEGACY/* -%{_datarootdir}/crypto-policies/DEFAULT/* -%{_datarootdir}/crypto-policies/FUTURE/* -%{_datarootdir}/crypto-policies/FIPS/* -%{_datarootdir}/crypto-policies/EMPTY/* +%{_datarootdir}/crypto-policies/LEGACY +%{_datarootdir}/crypto-policies/DEFAULT +%{_datarootdir}/crypto-policies/FUTURE +%{_datarootdir}/crypto-policies/FIPS +%{_datarootdir}/crypto-policies/EMPTY +%{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/default-config %{_datarootdir}/crypto-policies/reload-cmds.sh +%{_datarootdir}/crypto-policies/policies +%{_datarootdir}/crypto-policies/python %{!?_licensedir:%global license %%doc} %license COPYING.LESSER %changelog +* Mon Dec 16 2019 Tomáš Mráz - 20191128-2.git23e1bf1 +- move the pre-built .config files to /usr/share/crypto-policies/back-ends + +* Fri Nov 29 2019 Tomáš Mráz - 20191128-1.git23e1bf1 +- fips-mode-setup: compatibility with RHCOS + +* Thu Nov 28 2019 Tomáš Mráz - 20191127-1.git1179826 +- add FIPS subpolicy for OSPP + +* Tue Oct 29 2019 Tomáš Mráz - 20191022-1.gite17cc3a +- custom crypto policies support +- update-crypto-policies: fix handling of list operations in policy modules +- update-crypto-policies: fix updating of the current policy marker +- fips-mode-setup: fixes related to containers and non-root execution +- make it possible to use fips-mode-setup --check without dracut +- add .config symlinks so a crypto policy can be set with read-only + /etc by bind-mounting /usr/share/crypto-policies/ to + /etc/crypto-policies/back-ends +- run the update-crypto-policies in posttrans + +* Wed Aug 7 2019 Tomáš Mráz - 20190807-1.git9b1477b +- gnutls: enable TLS-1.3 in the FIPS policy + +* Mon Aug 5 2019 Tomáš Mráz - 20190613-2.git21ffdc8 +- fix ownership of policy directories +- nss: enable X25519 in appropriate policies and conflict with old nss +- openssh: conflict with old incompatible openssh version + * Thu Jun 13 2019 Tomáš Mráz - 20190613-1.git21ffdc8 - openssh: add missing curve25519-sha256 to the key exchange list - openssh: fix RSA certificate support