fedora33: update-crypto-policies --set LEGACY

[hswong3i]

Follow up for #173, where both files are still missing during initial vagrant up:

• /etc/polkit-1/rules.d/49-vagrant.rules
• /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf

In case it is SELinux related, at least chcon is just used for temporary changes but not as persistent as semanage fcontext should be.

[hswong3i]

@ladar something I had tried:

• Install polkit in scripts/fedora33/dnf.sh: though out all provisioning (even until scripts/common/lockout.sh), both /etc/polkit-1/rules.d/49-vagrant.rules and /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf are existing with correct setup; BTW once vagrant up it rollback as nothing
• Setting SELINUX=permissive: similar as above, also get rollback as SELINUX=enforcing after initial vagrant up

[hswong3i]

@ladar I checked with https://app.vagrantup.com/fedora/boxes/33-cloud-base, their patch exists and working during initial vagrant up, where vagrant ssh also working perfectly:

[vagrant@cheph9ohg3he-1 ~]$ sudo su -
[root@cheph9ohg3he-1 ~]# ls -la /etc/ssh/sshd_config.d/
total 16
drwx------. 2 root root 4096 Oct 19 23:41 .
drwxr-xr-x. 4 root root 4096 Nov  8 06:17 ..
-rw-r--r--. 1 root root  133 Oct 19 23:41 10-vagrant-insecure-rsa-key.conf
-rw-------. 1 root root 1002 Sep 29 14:03 50-redhat.conf
[root@cheph9ohg3he-1 ~]# cat /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf 
# For now the vagrant insecure key is an rsa key
# https://github.com/hashicorp/vagrant/issues/11783
PubkeyAcceptedKeyTypes=+ssh-rsa

[ladar]

I looked this over. I don't think its needed. It changes the file system contexts/permissions, but I don't think new context is correct for the given directories (if there is such a think as "correct").

My guess is the files aren't showing up is because your using the 3.1.0 boxes which don't have this change. About 24 hours ago I released the latest boxes (3.1.2) and based on my testing, they work just. These boxes contain theupdate-crypto-policies --set LEGACY fix.

A new set of boxes should be uploading over the next few days (aka 3.1.2, and some of those Fedora 33 boxes will have the newer fix. I think all, just not sure.

Either way, I'm kicking off the 3.1.6 today, and I know all of those boxes will have the current fix when they upload. So I'm gonna close this ticket. If you still have trouble once the 3.1.6 boxes upload, please reopen it.

[hswong3i]

A new set of boxes should be uploading over the next few days (aka 3.1.2, and some of those Fedora 33 boxes will have the newer fix. I think all, just not sure.

Confirmed 3.1.2 including update-crypto-policies --set LEGACY fix:

$ vagrant box list | grep fedora33
generic/fedora33     (libvirt, 3.1.2)
$ vagrant ssh
Last login: Wed Nov 11 03:54:37 2020 from 192.168.121.1
[vagrant@ugaeg9geicuz-1 ~]$ sudo su -
Last login: Wed Nov 11 03:54:40 UTC 2020 on pts/0
[root@ugaeg9geicuz-1 ~]# update-crypto-policies --show
LEGACY