From 123d8197707e4c773281f68ab7b9128d6c500342 Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Tue, 13 Aug 2024 12:45:09 +0200 Subject: [PATCH] security: call /usr/libexec/fips-setup-helper crypto-policies now ships a helper for anaconda to call in order to just "do the right thing" and make it not anaconda's responsibility. --- anaconda.spec.in | 2 +- pyanaconda/modules/security/installation.py | 9 +++------ pyanaconda/modules/security/security.py | 2 +- .../modules/security/test_module_security.py | 6 +++--- 4 files changed, 8 insertions(+), 11 deletions(-) diff --git a/anaconda.spec.in b/anaconda.spec.in index 4b805e37917..cda2697c4aa 100644 --- a/anaconda.spec.in +++ b/anaconda.spec.in @@ -136,7 +136,7 @@ Requires: python3-pid # Required by the systemd service anaconda-fips. Requires: crypto-policies -Requires: /usr/bin/update-crypto-policies +Requires: crypto-policies-scripts # required because of the rescue mode and VNC question Requires: anaconda-tui = %{version}-%{release} diff --git a/pyanaconda/modules/security/installation.py b/pyanaconda/modules/security/installation.py index d591e1f1a69..82eae14896c 100644 --- a/pyanaconda/modules/security/installation.py +++ b/pyanaconda/modules/security/installation.py @@ -159,13 +159,10 @@ def run(self): log.debug("Don't set up FIPS on %s.", conf.target.type.value) return - # We use the --no-bootcfg option as we don't want fips-mode-setup - # to modify the bootloader configuration. Anaconda already does - # everything needed & it would require grubby to be available on - # the system. + # Bootloader is not modified. Anaconda already does everything needed. util.execWithRedirect( - "fips-mode-setup", - ["--enable", "--no-bootcfg"], + "/usr/libexec/fips-setup-helper", + ["anaconda"], root=self._sysroot ) diff --git a/pyanaconda/modules/security/security.py b/pyanaconda/modules/security/security.py index 36e4966c9bf..a931ab2c7b0 100644 --- a/pyanaconda/modules/security/security.py +++ b/pyanaconda/modules/security/security.py @@ -194,7 +194,7 @@ def collect_requirements(self): # Add FIPS requirements. if self.fips_enabled: requirements.append(Requirement.for_package( - "/usr/bin/fips-mode-setup", + "crypto-policies-scripts", reason="Required for FIPS compliance." )) diff --git a/tests/unit_tests/pyanaconda_tests/modules/security/test_module_security.py b/tests/unit_tests/pyanaconda_tests/modules/security/test_module_security.py index bda13f8fb66..9f83fcea05f 100644 --- a/tests/unit_tests/pyanaconda_tests/modules/security/test_module_security.py +++ b/tests/unit_tests/pyanaconda_tests/modules/security/test_module_security.py @@ -322,7 +322,7 @@ def test_fips_requirements(self, kernel_arguments_mock): assert self.security_interface.CollectRequirements() == [ { "type": get_variant(Str, "package"), - "name": get_variant(Str, "/usr/bin/fips-mode-setup"), + "name": get_variant(Str, "crypto-policies-scripts"), "reason": get_variant(Str, "Required for FIPS compliance.") } ] @@ -1014,7 +1014,7 @@ def test_configure_fips_task(self, mock_util): task.run() mock_util.execWithRedirect.assert_called_once_with( - "fips-mode-setup", - ["--enable", "--no-bootcfg"], + "/usr/libexec/fips-setup-helper", + ["anaconda"], root="/mnt/sysroot" )