Disable EMS check without changing /usr/share

These changes disable EMS checks when FIPS is enabled by changing configuration files in /etc. The link /etc/pki/tls/fips_local.cnf that points to a configuration file within the FIPS crypto policy is replaced with a regular file, and Options=RHNoEnforceEMSinFIPS is added to the crypto_policy section in /etc/pki/tls/openssl.cnf Signed-off-by: Arik Hadas <[email protected]>
ahadas · Sep 5, 2023 · a1671ed · a1671ed
1 parent b8dfca6
commit a1671ed
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/virt-v2v/cold/BUILD.bazel b/virt-v2v/cold/BUILD.bazel
@@ -63,9 +63,9 @@ container_image(
 container_run_and_commit_layer(
     name = "no-ems-in-fips",
     commands = [
-        "touch /usr/share/crypto-policies/back-ends/FIPS/openssl_fips.config",
-        "echo -ne '[fips_sect]\ntls1-prf-ems-check = 0\nactivate = 1' >> /usr/share/crypto-policies/back-ends/FIPS/openssl_fips.config",
-        "echo -ne '[crypto_policy]\nOptions=RHNoEnforceEMSinFIPS' >> /usr/share/crypto-policies/back-ends/FIPS/opensslcnf.config",
+        "rm /etc/pki/tls/fips_local.cnf",
+        "echo -e '[fips_sect]\ntls1-prf-ems-check = 0\nactivate = 1' > /etc/pki/tls/fips_local.cnf",
+        "sed -i '/^\\[ crypto_policy \\]/a Options=RHNoEnforceEMSinFIPS' /etc/pki/tls/openssl.cnf",
     ],
     image = ":virt-v2v-image.tar",
 )