|
|
2e9388 |
From 0ea5a5970f7661e240b6ff3ebec4ea2414c47837 Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
e3ffab |
Date: Tue, 21 Oct 2014 14:56:28 +0200
|
|
|
e3ffab |
Subject: [PATCH] Do not allow installation in FIPS mode
|
|
|
e3ffab |
|
|
|
e3ffab |
https://bugzilla.redhat.com/show_bug.cgi?id=1131570
|
|
|
e3ffab |
---
|
|
|
590d18 |
install/tools/ipactl | 6 ++++++
|
|
|
590d18 |
ipa-client/ipa-install/ipa-client-install | 4 ++++
|
|
|
590d18 |
ipaserver/install/server/install.py | 5 +++++
|
|
|
590d18 |
ipaserver/install/server/replicainstall.py | 5 +++++
|
|
|
e3ffab |
4 files changed, 20 insertions(+)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/install/tools/ipactl b/install/tools/ipactl
|
|
|
590d18 |
index acad7ff3771561d5dce530317b65aaf117f153a1..cf906ccbbe5c98013a5f640e90e1f3c9052f19cb 100755
|
|
|
e3ffab |
--- a/install/tools/ipactl
|
|
|
e3ffab |
+++ b/install/tools/ipactl
|
|
|
590d18 |
@@ -532,6 +532,12 @@ def main():
|
|
|
e3ffab |
elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
|
|
|
e3ffab |
raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
|
|
|
e3ffab |
|
|
|
e3ffab |
+ if (args[0] in ('start', 'restart') and
|
|
|
e3ffab |
+ os.path.exists('/proc/sys/crypto/fips_enabled')):
|
|
|
e3ffab |
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
|
|
|
e3ffab |
+ if f.read().strip() != '0':
|
|
|
e3ffab |
+ raise IpactlError("Cannot start IPA server in FIPS mode")
|
|
|
e3ffab |
+
|
|
|
e3ffab |
# check if IPA is configured at all
|
|
|
e3ffab |
try:
|
|
|
e3ffab |
check_IPA_configuration()
|
|
|
e3ffab |
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
|
|
|
2e9388 |
index 543c6f027f2312792e7ad33533db8e7c10a3cddb..586b11bdf37cf22f50980d6b84d6dcd12cfd50e7 100755
|
|
|
e3ffab |
--- a/ipa-client/ipa-install/ipa-client-install
|
|
|
e3ffab |
+++ b/ipa-client/ipa-install/ipa-client-install
|
|
|
2e9388 |
@@ -3051,6 +3051,10 @@ def main():
|
|
|
e3ffab |
|
|
|
e3ffab |
if not os.getegid() == 0:
|
|
|
e3ffab |
sys.exit("\nYou must be root to run ipa-client-install.\n")
|
|
|
e3ffab |
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
|
|
|
e3ffab |
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
|
|
|
e3ffab |
+ if f.read().strip() != '0':
|
|
|
e3ffab |
+ sys.exit("Cannot install IPA client in FIPS mode")
|
|
|
e3ffab |
tasks.check_selinux_status()
|
|
|
e3ffab |
logging_setup(options)
|
|
|
e3ffab |
root_logger.debug(
|
|
|
590d18 |
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
|
|
590d18 |
index f62874f085ee3ae478fc769465fe375abc4465e6..67af71011fe16d17ce1db857a1c99b2125a3590d 100644
|
|
|
590d18 |
--- a/ipaserver/install/server/install.py
|
|
|
590d18 |
+++ b/ipaserver/install/server/install.py
|
|
|
590d18 |
@@ -303,6 +303,11 @@ def install_check(installer):
|
|
|
590d18 |
|
|
|
590d18 |
dogtag_constants = dogtag.install_constants
|
|
|
590d18 |
|
|
|
590d18 |
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
|
|
|
590d18 |
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
|
|
|
590d18 |
+ if f.read().strip() != '0':
|
|
|
590d18 |
+ sys.exit("Cannot install IPA server in FIPS mode")
|
|
|
590d18 |
+
|
|
|
590d18 |
tasks.check_selinux_status()
|
|
|
590d18 |
|
|
|
590d18 |
if options.master_password:
|
|
|
590d18 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
590d18 |
index 55c58335c5bbc6993999da4c465e58f4ce3225aa..1994316c1ff066f7e7e615c51ea7157f55a75201 100644
|
|
|
590d18 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
590d18 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
590d18 |
@@ -312,6 +312,11 @@ def install_check(installer):
|
|
|
590d18 |
options = installer
|
|
|
590d18 |
filename = installer.replica_file
|
|
|
590d18 |
|
|
|
590d18 |
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
|
|
|
590d18 |
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
|
|
|
590d18 |
+ if f.read().strip() != '0':
|
|
|
590d18 |
+ sys.exit("Cannot install IPA server in FIPS mode")
|
|
|
590d18 |
+
|
|
|
590d18 |
tasks.check_selinux_status()
|
|
|
590d18 |
|
|
|
590d18 |
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
|
|
e3ffab |
--
|
|
|
2e9388 |
2.4.3
|
|
|
e3ffab |
|