-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/subscriptions: add /etc/crypto-policies/config in fips mode #1667
Conversation
LGTM |
/hold |
/hold cancel |
LGTM |
Source: cryptoPoliciesConfigFile, | ||
Destination: policyConfig, | ||
Type: "bind", | ||
Options: []string{"bind", "rprivate"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be Mounted R/O?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it is, one can't switch policy to something else.
If it is not, one can, and I don't see why not allow it.
SELinux would break writing to this directory anyways, so I don't see mounting the file read/only would be likely to break anything. |
Currently the container can write this file, if we now mount ro over it it may cause breakage. But yes you are right selinux blocks access so I have to relabel. |
Make sure /etc/crypto-policies/config is bind mounted from the host so it does contain the proper FIPS value and a reinstall of crypto-policies-scripts does not overwrite the existing files with the default config. We create a tmpfile and write FIPS to it so we can bind mount it and the contianer can change the config if needed. Fixes https://issues.redhat.com/browse/RHEL-9836 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
SELinux would block the container from writing to this directory, so this would only break users with SELinux Disabled within the contain. I would argue that allowing users to write to this directory should be considered a security problem, since the container could unexpectedly change the security of the host system, And this needs to be changed immediately because it could be considered a severe bug. If users want the container to write to this directory they could add their own volume mount with read/write. |
We are not bind mounting from the host, the policy content must be within the container image and of course the container can write to that. The existing bind mount is Now my patch adds a mount for Now whenever the container should be allowed to change the policy is far beyond my understanding of FIPS rules. If someone thinks that must be changed to ro then please clearly state this on the RHEL bug because that would effect the existing mount as well. |
Ok if the content is coming from container private storage, then I don't care and you are right the container should be allowed to do whatever it wants with the content. /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Luap99, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Make sure /etc/crypto-policies/config is bind mounted from the host so it does contain the proper FIPS value and a reinstall of crypto-policies-scripts does not overwrite the existing files with the default config.
Fixes https://issues.redhat.com/browse/RHEL-9836