search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.29k stars 2.37k forks source link

Podman ignores FIPS policy modifiers #23214

Open rhatdan opened 2 months ago

rhatdan commented 2 months ago

Discussed in https://github.com/containers/podman/discussions/23213

Originally posted by **ihatethecloud** July 3, 2024 https://github.com/containers/podman/blob/b5bfd7233b1a3d500f0df1968dfcc2bd5c3c30ce/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go#L347-L395 podman-4.9.4-1 on almalinux 8.10 If the user has a crypto-policy modifier there is no way for him to have it inside the container. 1 - Create a policy modifier ``` /usr/share/crypto-policies/policies/modules/TEST-MOD.pmod cipher = -AES-256-CBC ``` 2 - Activate the policy ``` update-crypto-policies --set FIPS:TEST-MOD ``` 3 - Reboot 4 - Check crypto-policy ``` cat /etc/crypto-policies/config FIPS:TEST-MOD ``` 5 - Check inside container ``` podman run --rm --it almalinux:8.9 cat /etc/crypto-policies/config FIPS ``` 6 - Try with bind volume ``` podman run --rm -v /etc/crypto-policies/:/etc/crypto-policies/ --it almalinux:8.9 cat /etc/crypto-policies/config FIPS ```
github-actions[bot] commented 1 month ago

A friendly reminder that this issue had no activity for 30 days.