We want to make sure that FreeIPA can be installed on a system in FIPS enforcing mode and that basic functionality is working correctly.
For a full FIPS mode system it is necessary to reconfigure the system and then reboot the entire OS. For most problems it is sufficient to just put the userspace in a fake FIPS mode. Ondrej Moris came up with a clever trick using mount --bind:
echo "userspace fips" > /etc/system-fips mkdir -p /var/tmp/userspace-fips echo 1 > /var/tmp/userspace-fips/fips_enabled mount --bind \ /var/tmp/userspace-fips/fips_enabled \ /proc/sys/crypto/fips_enabled update-crypto-policy --set FIPS
The trick makes all user space programs think that the system is running in FIPS enforcing mode. That's sufficient enough for a smoke test and will catch most to all userspace problems with FIPS.
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3897
master:
ipa-4-8:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.