Bug 1812105

Summary: Enabling fapolicyd makes dracut build unusable initramfs
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.1CC: cbesson, jehrmann, sgrubb, thefonzz2625
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-24 15:20:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2020-03-10 14:26:52 UTC 
Description of problem:

A customer who enabled fapolicyd service hit boot issues after a kernel update: the initramfs was "corrupted" and not including many required libraries, due to "ldd" not working anymore.

In a terminal, executing "ldd" shows unexpected result:

  # ldd /bin/bash
  	not a dynamic executable


  # dracut -f /tmp/initramfs.img $(uname -r)
  # ll /tmp/initramfs.img
  -rw-------. 1 root root 11280564 Mar 10 15:17 /tmp/initramfs.img

  --> invalid size (too small)

  # lsinitrd /tmp/initramfs.img | grep libc.so
  
  --> no output, was expecting:

  -rw-r--r--   1 root     root          253 Nov  6 16:07 usr/lib64/libc.so
  lrwxrwxrwx   1 root     root           12 Nov  6 16:07 usr/lib64/libc.so.6 -> libc-2.28.so



Version-Release number of selected component (if applicable):

fapolicyd-0.8.10-3.el8_1.1.x86_64


How reproducible:

ALWAYS


Steps to Reproduce:
1. Start fapolicyd

  # systemctl start fapolicyd

2. Execute dracut or ldd

  # ldd /bin/bash

Actual results:

  "not a dynamic executable"

  OR

  "
  linux-vdso.so.1 (0x00007ffce8ff7000)
  libtinfo.so.6 => not found
  libdl.so.2 => not found
  libc.so.6 => not found
  "
Comment 2 Renaud Métrich 2020-03-10 14:38:36 UTC 
Rule being hit when executing "ldd /bin/bash" is:

# Prevent execution by ld.so
deny_audit pattern=ld_so all

Mar 10 15:36:33 vm-rhel8 fapolicyd[16127]: rule:3 dec=deny_audit auid=0 pid=16152 exe=/usr/lib64/ld-2.28.so file=/usr/bin/bash
Comment 6 thefonzz2625 2020-04-02 16:28:09 UTC 
Is fapolicyd just going to stay disabled?
Comment 7 Renaud Métrich 2020-04-03 07:42:27 UTC 
Hi,

The BZ has been closed because the fix will be delivered as part of fapolicyd-0.8.10-3.el8_1.3