Bug 1812105 - Enabling fapolicyd makes dracut build unusable initramfs
Summary: Enabling fapolicyd makes dracut build unusable initramfs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: fapolicyd
Version: 8.1
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: 8.0
Assignee: Radovan Sroka
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-10 14:26 UTC by Renaud Métrich
Modified: 2020-04-03 07:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-24 15:20:13 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4893601 0 None None None 2020-03-10 15:33:27 UTC

Description Renaud Métrich 2020-03-10 14:26:52 UTC
Description of problem:

A customer who enabled fapolicyd service hit boot issues after a kernel update: the initramfs was "corrupted" and not including many required libraries, due to "ldd" not working anymore.

In a terminal, executing "ldd" shows unexpected result:

  # ldd /bin/bash
  	not a dynamic executable


  # dracut -f /tmp/initramfs.img $(uname -r)
  # ll /tmp/initramfs.img
  -rw-------. 1 root root 11280564 Mar 10 15:17 /tmp/initramfs.img

  --> invalid size (too small)

  # lsinitrd /tmp/initramfs.img | grep libc.so
  
  --> no output, was expecting:

  -rw-r--r--   1 root     root          253 Nov  6 16:07 usr/lib64/libc.so
  lrwxrwxrwx   1 root     root           12 Nov  6 16:07 usr/lib64/libc.so.6 -> libc-2.28.so



Version-Release number of selected component (if applicable):

fapolicyd-0.8.10-3.el8_1.1.x86_64


How reproducible:

ALWAYS


Steps to Reproduce:
1. Start fapolicyd

  # systemctl start fapolicyd

2. Execute dracut or ldd

  # ldd /bin/bash

Actual results:

  "not a dynamic executable"

  OR

  "
  linux-vdso.so.1 (0x00007ffce8ff7000)
  libtinfo.so.6 => not found
  libdl.so.2 => not found
  libc.so.6 => not found
  "

Comment 2 Renaud Métrich 2020-03-10 14:38:36 UTC
Rule being hit when executing "ldd /bin/bash" is:

# Prevent execution by ld.so
deny_audit pattern=ld_so all

Mar 10 15:36:33 vm-rhel8 fapolicyd[16127]: rule:3 dec=deny_audit auid=0 pid=16152 exe=/usr/lib64/ld-2.28.so file=/usr/bin/bash

Comment 6 thefonzz2625 2020-04-02 16:28:09 UTC
Is fapolicyd just going to stay disabled?

Comment 7 Renaud Métrich 2020-04-03 07:42:27 UTC
Hi,

The BZ has been closed because the fix will be delivered as part of fapolicyd-0.8.10-3.el8_1.3


Note You need to log in before you can comment on or make changes to this bug.