Preserve extended attributes when copying files using dracut-install.
The copying of extended attributes avoids file execution denials when
the Linux Integrity Measurement's Appraisal mode is active. In that mode
executables need their file signatures copied. In particular, this patch
solves the problem that dependent libaries are not included in the
initramfs since the copied programs could not be executed due to missing
signatures. The following audit record shows the type of failure that
is now prevented:
type=INTEGRITY_DATA msg=audit(1477409025.492:30065): pid=922 uid=0
auid=4294967295 ses=4294967295
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
op="appraise_data" cause="IMA-signature-required"
comm="ld-linux-x86-64"
name="/var/tmp/dracut.R6ySa4/initramfs/usr/bin/journalctl"
dev="dm-0" ino=37136 res=0
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
IMA validates file signatures based on the security.ima xattr. As of
Linux-4.7, instead of cat'ing the IMA policy into the securityfs policy,
the IMA policy pathname can be written, allowing the IMA policy file
signature to be validated.
This patch first attempts to write the pathname, but on failure falls
back to cat'ing the IMA policy contents .
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Dracut changes working directory before attempting to output files under
$DRACUT_TMPDIR , resulting in an IO failure if $DRACUT_TMPDIR is a path
relative to the working directory when dracut was started.
Fixes: https://github.com/dracutdevs/dracut/issues/156
Signed-off-by: David Disseldorp <ddiss@suse.de>
This is a further improvement on PR #105 which re-adds support for nfs:// urls to root=live:nfs://... Symptoms prior to applying this patch are that sysroot.mount times out when following the nfs:// syntax for the path to the live image. An additional case is added to livenet-generator to support the nfs protocol.
ip=2620:0052:0000:2220:0226:b9ff:fe81:cde4::[2620:0052:0000:2220:0000:0000:0000:03fe]:64::ibft0:none
should be
ip=[2620:0052:0000:2220:0226:b9ff:fe81:cde4]::[2620:0052:0000:2220:0000:0000:0000:03fe]:64::ibft0:none
https://bugzilla.redhat.com/show_bug.cgi?id=1322592#c19
(cherry picked from commit b8e6c051c6)
use inst() instead of inst_simple()
/etc/pki/tls/certs/ca-bundle.crt is a symlink to
../../ca-trust/extracted/pem/tls-ca-bundle.pem
with inst() we install the original file also.
https://bugzilla.redhat.com/show_bug.cgi?id=1341280
(cherry picked from commit 1b23c6c65c)
add check_vol_slaves_all to be used in check_block_and_slaves_all
otherwise only the first lvm VG member would be processed
(cherry picked from commit 7a7b8c1740)
Mike Gilbert