On Thursday, May 03, 2012 09:29:15 AM Daniel P. Berrange wrote: > On Wed, May 02, 2012 at 03:32:56PM -0400, Paul Moore wrote: > > static void vnc_set_share_mode(VncState *vs, VncShareMode mode) > > { > > #ifdef _VNC_DEBUG > > > > @@ -2748,6 +2772,14 @@ void vnc_display_init(DisplayState *ds) > > > > dcl->idle = 1; > > vnc_display = vs; > > > > + vs->fips = fips_enabled(); > > + VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled")); > > +#ifndef _WIN32 > > + if (vs->fips) { > > + syslog(LOG_NOTICE, "Disabling VNC password auth due to FIPS > > mode\n"); + } > > +#endif /* _WIN32 */ > > I really think this should only be done if a password is actually set. > With the code as it is, then every single time you launch a VM you're > going to get this message in syslog, which makes it appear as if something > is trying to illegally use passwords in FIPS mode. I feel this will cause > admins/auditors to be worried about something being wrong, when in fact > everything is normal.
Yep. I can see arguments for either location but I'll go ahead and move it in v3 which I will be posting shortly. -- paul moore security and virtualization @ redhat