Bug 1165603

Summary: Add libfreeblpriv3.so and libfreeblpriv3.chk to modules-install in dracut-fips
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Mraz <tmraz>
Component: dracutAssignee: Harald Hoyer <harald>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: arubin, bperkins, dracut-maint-list, harald, jstodola, mbanas, omoris, pvrabec, rrelyea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 08:21:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1112660, 1153602    

Description Tomas Mraz 2014-11-19 10:30:59 UTC 
There were found serious problems with calling prelink during the libfreebl3.so library startup. As a solution this library was split into libfreebl3.so and libfreeblpriv3.so so the prelink is not called during the libfreebl3.so startup and libfreeblpriv3.so that is dlopened by libfreebl3.so can be thus completely blacklisted from prelinking.

However that means that libfreeblpriv3.so needs to be explicitly added to the images generated by dracut-fips.

Please add libfreeblpriv3.so and libfreeblpriv3.chk to modules-install.

Note also that libfreebl3.chk is not present anymore.
Comment 3 Harald Hoyer 2014-11-28 14:33:24 UTC 
*** Bug 1168927 has been marked as a duplicate of this bug. ***
Comment 9 Jan Stodola 2015-01-06 11:50:31 UTC 
Harald,
both packages are present in initramfs and booting in FIPS mode works fine, but the list of files to install now also includes "and":

[root@localhost 01fips]# rpm -q dracut
dracut-033-227.el7.x86_64
[root@localhost 01fips]# pwd
/usr/lib/dracut/modules.d/01fips
[root@localhost 01fips]# grep inst_libdir_file -A 3 module-setup.sh 
    inst_libdir_file libsoftokn3.so libsoftokn3.so \
        libsoftokn3.chk libfreebl3.so libfreebl3.chk \
        libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10 \
        libfreeblpriv3.so and libfreeblpriv3.chk
[root@localhost 01fips]#

Could you please fix that?
Comment 10 Harald Hoyer 2015-01-09 14:11:09 UTC 
(In reply to Jan Stodola from comment #9)
> Harald,
> both packages are present in initramfs and booting in FIPS mode works fine,
> but the list of files to install now also includes "and":
> 
> [root@localhost 01fips]# rpm -q dracut
> dracut-033-227.el7.x86_64
> [root@localhost 01fips]# pwd
> /usr/lib/dracut/modules.d/01fips
> [root@localhost 01fips]# grep inst_libdir_file -A 3 module-setup.sh 
>     inst_libdir_file libsoftokn3.so libsoftokn3.so \
>         libsoftokn3.chk libfreebl3.so libfreebl3.chk \
>         libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10 \
>         libfreeblpriv3.so and libfreeblpriv3.chk
> [root@localhost 01fips]#
> 
> Could you please fix that?

Sure, will fix. although it does not cause any harm, but only try to install "and" from any library directory.
Comment 12 Jan Stodola 2015-01-19 12:03:33 UTC 
[root@localhost ~]# lsinitrd /boot/initramfs-3.10.0-223.el7.x86_64.img | grep -e libfreeblpriv3.so -e libfreeblpriv3.chk
-rw-r--r--   1 root     root          899 Jan 13 16:34 usr/lib64/libfreeblpriv3.chk
-rwxr-xr-x   1 root     root       510320 Jan 13 16:34 usr/lib64/libfreeblpriv3.so
[root@localhost ~]# rpm -q dracut
dracut-033-237.el7.x86_64
[root@localhost ~]#

System boots fine in FIPS mode.

Moving to VERIFIED.
Comment 14 errata-xmlrpc 2015-03-05 08:21:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0375.html