Make FIPS not use ReadonlyRootfsManager as due to systemd-sysext …

…usage we wont be able to make `/usr` writeable anymore (#15000)
truenas · Nov 21, 2024 · 9640b06 · 9640b06
1 parent d8105ea
commit 9640b06
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/debian/debian/preinst b/debian/debian/preinst
@@ -0,0 +1,5 @@
+#!/bin/sh -ex
+
+mkdir -p /var/lib/ssl
+mv /usr/lib/ssl/fipsmodule.cnf /var/lib/ssl/fipsmodule.cnf
+ln -s /var/lib/ssl/fipsmodule.cnf /usr/lib/ssl/fipsmodule.cnf
diff --git a/src/freenas/debian/preinst b/src/freenas/debian/preinst
diff --git a/src/middlewared/middlewared/scripts/configure_fips.py b/src/middlewared/middlewared/scripts/configure_fips.py
@@ -5,7 +5,6 @@
 import subprocess
 
 from middlewared.utils.db import query_config_table
-from middlewared.utils.rootfs import ReadonlyRootfsManager
 
 
 FIPS_MODULE_FILE = '/usr/lib/ssl/fipsmodule.cnf'
@@ -43,14 +42,12 @@ def main() -> None:
     try:
         security_settings = query_config_table('system_security')
     except (sqlite3.OperationalError, IndexError):
-        # This is for the case when users are upgrading and in that case table will not exist
+        # This is for the case when users are upgrading and in that case table will not exist,
         # so we should always disable fips as a default because users might not be able to ssh
         # into the system
         security_settings = {'enable_fips': False}
 
-    with ReadonlyRootfsManager('/') as readonly_rootfs:
-        readonly_rootfs.make_writeable()
-        configure_fips(security_settings['enable_fips'])
+    configure_fips(security_settings['enable_fips'])
 
 
 if __name__ == '__main__':