Dne 19. 06. 19 v 12:00 Tomas Mraz napsal(a):
On Wed, 2019-06-19 at 10:19 +0200, Vít Ondruch wrote:
> Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a):
>>
https://fedoraproject.org/wiki/Changes/CustomCryptoPolicies
>>
>> == Summary ==
>> This new feature of crypto-policies allows system administrators
>> and
>> third party providers to modify and adjust the existing system-wide
>> crypto policies to enable or disable algorithms and protocols.
>>
>> == Owner ==
>> * Name: [[User:Tmraz | Tomáš Mráz]]
>> * Email: tmraz(a)redhat.com
>>
>> == Detailed Description ==
>>
>> The crypto-policies package will be enhanced to allow system
>> administrators to modify the existing system-wide crypto policy
>> levels
>> by removing or adding enabled algorithms and protocols. For example
>> it
>> will be possible to easily modify the existing DEFAULT
> I just wonder what is the strategy here? Does it means that the
> "DEFAULT" definition will be store permanently somewhere in /usr/ and
> I'll be able to copy the DEFAULT into /etc and modify it according to
> my
> needs?
>
> I am just asking, because AFAIK, currently the crypto policies
> configuration is stored just in /etc and modifying the "DEFAULT"
> profile
> would make the updates problematic, requiring someone to file with
> .rpmnew files etc. That would be unfortunate.
The configuration files will be created by a simple python application
(which the update-crypto-policies will transform into). You will
specify just the modifications that should be done to the base policy.
Please see
https://gitlab.com/redhat-crypto/fedora-crypto-policies/tree/custom-policies
to get the idea.
We might continue shipping the "unmodified" configurations in
/usr/share but I do not see much benefit in that except for being able
for the sysadmin to look at how the unmodified individual
configurations look like without applying the policy to the system.
Looking at "unmodified" configuration is great benefit on itself.
Being able to `rm -rf /etc/cryptopolicies` (or whatever is the right
folder) to restore the original configuration would be even better. But
maybe the "update-crypto-policies" creates configuration files for
several cryptolibraries, so this might not be possible without
modification of those libraries, dunno.
Vít