[apparmor] [patch] add FIPS support to abstractions/openssl

Christian Boltz apparmor at cboltz.de
Fri Jan 3 18:11:29 UTC 2014


<patch description stolen from Lars Vogdt>

The "/proc/sys/crypto/fips_enabled r," should IMHO be integrated in the
upstream abstractions/openssl as this is not critical if you run without 
FIPS, but it will produce a lot of log entries on systems like SLES that 
are FIPS aware.

</stolen patch description>

References: https://bugzilla.novell.com/show_bug.cgi?id=857122#c2

=== modified file 'profiles/apparmor.d/abstractions/openssl'
--- profiles/apparmor.d/abstractions/openssl    2011-08-08 20:22:03
+++ profiles/apparmor.d/abstractions/openssl    2014-01-03 18:07:23
@@ -10,4 +10,5 @@
   /etc/ssl/openssl.cnf r,
   /usr/share/ssl/openssl.cnf r,
+  @{PROC}/sys/crypto/fips_enabled r,


Christian Boltz
I wonder how we ended up with baseurl and extra_url, now we are missing
one with a "-" like "data-dir" to violate consistency and the principle
of least surprise in all possible ways. 
[Duncan Mac-Vicar Prett in bnc#449842]

More information about the AppArmor mailing list