From 9640b06cef77882e87c77bf6ff2551d2d7874b5d Mon Sep 17 00:00:00 2001
From: themylogin <themylogin@gmail.com>
Date: Thu, 21 Nov 2024 23:28:43 +0100
Subject: [PATCH] Make FIPS not use `ReadonlyRootfsManager` as due to
 `systemd-sysext` usage we wont be able to make `/usr` writeable anymore
 (#15000)

---
 debian/debian/preinst                                 | 5 +++++
 src/freenas/debian/preinst                            | 0
 src/middlewared/middlewared/scripts/configure_fips.py | 7 ++-----
 3 files changed, 7 insertions(+), 5 deletions(-)
 create mode 100644 debian/debian/preinst
 mode change 100644 => 100755 src/freenas/debian/preinst

diff --git a/debian/debian/preinst b/debian/debian/preinst
new file mode 100644
index 0000000000000..df24f8c64de96
--- /dev/null
+++ b/debian/debian/preinst
@@ -0,0 +1,5 @@
+#!/bin/sh -ex
+
+mkdir -p /var/lib/ssl
+mv /usr/lib/ssl/fipsmodule.cnf /var/lib/ssl/fipsmodule.cnf
+ln -s /var/lib/ssl/fipsmodule.cnf /usr/lib/ssl/fipsmodule.cnf
diff --git a/src/freenas/debian/preinst b/src/freenas/debian/preinst
old mode 100644
new mode 100755
diff --git a/src/middlewared/middlewared/scripts/configure_fips.py b/src/middlewared/middlewared/scripts/configure_fips.py
index 821ef4fbd2ae9..4ae05c4fe2a74 100755
--- a/src/middlewared/middlewared/scripts/configure_fips.py
+++ b/src/middlewared/middlewared/scripts/configure_fips.py
@@ -5,7 +5,6 @@
 import subprocess
 
 from middlewared.utils.db import query_config_table
-from middlewared.utils.rootfs import ReadonlyRootfsManager
 
 
 FIPS_MODULE_FILE = '/usr/lib/ssl/fipsmodule.cnf'
@@ -43,14 +42,12 @@ def main() -> None:
     try:
         security_settings = query_config_table('system_security')
     except (sqlite3.OperationalError, IndexError):
-        # This is for the case when users are upgrading and in that case table will not exist
+        # This is for the case when users are upgrading and in that case table will not exist,
         # so we should always disable fips as a default because users might not be able to ssh
         # into the system
         security_settings = {'enable_fips': False}
 
-    with ReadonlyRootfsManager('/') as readonly_rootfs:
-        readonly_rootfs.make_writeable()
-        configure_fips(security_settings['enable_fips'])
+    configure_fips(security_settings['enable_fips'])
 
 
 if __name__ == '__main__':