RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1165603 - Add libfreeblpriv3.so and libfreeblpriv3.chk to modules-install in dracut-fips
Summary: Add libfreeblpriv3.so and libfreeblpriv3.chk to modules-install in dracut-fips
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dracut
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Harald Hoyer
QA Contact: Release Test Team
URL:
Whiteboard:
: 1168927 (view as bug list)
Depends On:
Blocks: 1112660 1153602
TreeView+ depends on / blocked
 
Reported: 2014-11-19 10:30 UTC by Tomas Mraz
Modified: 2015-03-05 08:21 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 08:21:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0375 0 normal SHIPPED_LIVE dracut bug fix and enhancement update 2015-03-05 12:50:34 UTC

Description Tomas Mraz 2014-11-19 10:30:59 UTC 
There were found serious problems with calling prelink during the libfreebl3.so library startup. As a solution this library was split into libfreebl3.so and libfreeblpriv3.so so the prelink is not called during the libfreebl3.so startup and libfreeblpriv3.so that is dlopened by libfreebl3.so can be thus completely blacklisted from prelinking.

However that means that libfreeblpriv3.so needs to be explicitly added to the images generated by dracut-fips.

Please add libfreeblpriv3.so and libfreeblpriv3.chk to modules-install.

Note also that libfreebl3.chk is not present anymore.
Comment 3 Harald Hoyer 2014-11-28 14:33:24 UTC 
*** Bug 1168927 has been marked as a duplicate of this bug. ***
Comment 9 Jan Stodola 2015-01-06 11:50:31 UTC 
Harald,
both packages are present in initramfs and booting in FIPS mode works fine, but the list of files to install now also includes "and":

[root@localhost 01fips]# rpm -q dracut
dracut-033-227.el7.x86_64
[root@localhost 01fips]# pwd
/usr/lib/dracut/modules.d/01fips
[root@localhost 01fips]# grep inst_libdir_file -A 3 module-setup.sh 
    inst_libdir_file libsoftokn3.so libsoftokn3.so \
        libsoftokn3.chk libfreebl3.so libfreebl3.chk \
        libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10 \
        libfreeblpriv3.so and libfreeblpriv3.chk
[root@localhost 01fips]#

Could you please fix that?
Comment 10 Harald Hoyer 2015-01-09 14:11:09 UTC 
(In reply to Jan Stodola from comment #9)
> Harald,
> both packages are present in initramfs and booting in FIPS mode works fine,
> but the list of files to install now also includes "and":
> 
> [root@localhost 01fips]# rpm -q dracut
> dracut-033-227.el7.x86_64
> [root@localhost 01fips]# pwd
> /usr/lib/dracut/modules.d/01fips
> [root@localhost 01fips]# grep inst_libdir_file -A 3 module-setup.sh 
>     inst_libdir_file libsoftokn3.so libsoftokn3.so \
>         libsoftokn3.chk libfreebl3.so libfreebl3.chk \
>         libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10 \
>         libfreeblpriv3.so and libfreeblpriv3.chk
> [root@localhost 01fips]#
> 
> Could you please fix that?

Sure, will fix. although it does not cause any harm, but only try to install "and" from any library directory.
Comment 12 Jan Stodola 2015-01-19 12:03:33 UTC 
[root@localhost ~]# lsinitrd /boot/initramfs-3.10.0-223.el7.x86_64.img | grep -e libfreeblpriv3.so -e libfreeblpriv3.chk
-rw-r--r--   1 root     root          899 Jan 13 16:34 usr/lib64/libfreeblpriv3.chk
-rwxr-xr-x   1 root     root       510320 Jan 13 16:34 usr/lib64/libfreeblpriv3.so
[root@localhost ~]# rpm -q dracut
dracut-033-237.el7.x86_64
[root@localhost ~]#

System boots fine in FIPS mode.

Moving to VERIFIED.
Comment 14 errata-xmlrpc 2015-03-05 08:21:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0375.html
Note You need to log in before you can comment on or make changes to this bug.