FIPS Weirdness with Standalone Binaries

Posted on

Company I work for makes a set of supplementary enterprise-integrations and STIG-hardeners for RHEL6/7/8 systems (the automation-content that comes from DISA and the content included in the oscap RPMs is not complete enough to make Tennable fully happy). Normally, we prescribe to our users installation via Pypi (pip). However, some of our users are on isolated networks and don't have Pypi access. So we started creating standalone binaries that contained all the python and other, associated content. Worked decently well, for nearly half a decade, now, on RHEL 7 systems - with or without FIPS enabled. However, we're trying to extend coverage to RHEL 8 systems. Package installs just fine if the default security-profile is set. However, if FIPS mode has been enabled, execution of the binary aborts with a:

# watchmaker
fips.c(145): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)

While Google has popped up a few things on the error, none have proven helpful to resolving the problem. Tried using strace to see what, exactly, it was choking on, but nothing jumped out from the (very copius) output.

Wondering if anyone's run into similar and what their fix was (trying to avoid telling users, "turn off FIPS, reboot, run the tool, then turn FIPS back on".

Any way, thanks in advance for any ideas.