[PATCH] use cp to copy early.cpio to /boot for restoring default selinux label

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] use cp to copy early.cpio to /boot for restoring default selinux label
@ 2014-02-19 10:18 WANG Chao
       [not found] ` <20140219101842.GA10403-2coKmSd1Zb6BYdNaKHuJJRcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: WANG Chao @ 2014-02-19 10:18 UTC (permalink / raw)
  To: Harald Hoyer; +Cc: Dave Young, initramfs-u79uwXL29TY76Z2rM5mHXA

We use mv to move early.cpio from /tmp to /boot and early.cpio will
retain the file label. But later selinux will reject kexec from
accessing this such label under /boot.

What we should do is to copy early.cpio to /boot and the new early.cpio
will have a default file label for /boot. So that later selinux will not
reject accessing to this file.

Signed-off-by: WANG Chao <chaowang-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
 dracut.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dracut.sh b/dracut.sh
index 5267af5..ddfb760 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -1469,7 +1469,7 @@ if [[ $create_early_cpio = yes ]]; then
     echo 1 > "$early_cpio_dir/d/early_cpio"
     # The microcode blob is _before_ the initramfs blob, not after
     (cd "$early_cpio_dir/d";     find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet >../early.cpio)
-    mv $early_cpio_dir/early.cpio $outfile.$$
+    cp $early_cpio_dir/early.cpio $outfile.$$
 fi
 if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \
     $compress >> "$outfile.$$"; ); then
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 3+ messages in thread

[parent not found: <20140219101842.GA10403-2coKmSd1Zb6BYdNaKHuJJRcY2uh10dtjAL8bYrjMMd8@public.gmane.org>]

* Re: [PATCH] use cp to copy early.cpio to /boot for restoring default selinux label
       [not found] ` <20140219101842.GA10403-2coKmSd1Zb6BYdNaKHuJJRcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
@ 2014-02-19 11:07   ` Harald Hoyer
       [not found]     ` <53049082.6020909-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Harald Hoyer @ 2014-02-19 11:07 UTC (permalink / raw)
  To: WANG Chao; +Cc: Dave Young, initramfs-u79uwXL29TY76Z2rM5mHXA

On 02/19/2014 11:18 AM, WANG Chao wrote:
> We use mv to move early.cpio from /tmp to /boot and early.cpio will
> retain the file label. But later selinux will reject kexec from
> accessing this such label under /boot.
> 
> What we should do is to copy early.cpio to /boot and the new early.cpio
> will have a default file label for /boot. So that later selinux will not
> reject accessing to this file.
> 
> Signed-off-by: WANG Chao <chaowang-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
>  dracut.sh | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/dracut.sh b/dracut.sh
> index 5267af5..ddfb760 100755
> --- a/dracut.sh
> +++ b/dracut.sh
> @@ -1469,7 +1469,7 @@ if [[ $create_early_cpio = yes ]]; then
>      echo 1 > "$early_cpio_dir/d/early_cpio"
>      # The microcode blob is _before_ the initramfs blob, not after
>      (cd "$early_cpio_dir/d";     find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet >../early.cpio)
> -    mv $early_cpio_dir/early.cpio $outfile.$$
> +    cp $early_cpio_dir/early.cpio $outfile.$$
>  fi
>  if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \
>      $compress >> "$outfile.$$"; ); then
> 

What do you think of this patch? It gets rid of any temporary image file.
That would also help people with space problems in /boot.

diff --git a/dracut.sh b/dracut.sh
index 5267af5..a56bc13 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -808,7 +808,6 @@ fi
 # clean up after ourselves no matter how we die.
 trap '
     ret=$?;
-    [[ $outfile ]] && [[ -f $outfile.$$ ]] && rm -f -- "$outfile.$$";
     [[ $keep ]] && echo "Not removing $initdir." >&2 || { [[ $initdir ]] && rm -rf -- "$initdir"; };
     [[ $keep ]] && echo "Not removing $early_cpio_dir." >&2 || { [[ $early_cpio_dir ]] && rm -Rf -- "$early_cpio_dir"; };
     [[ $_dlogdir ]] && rm -Rf -- "$_dlogdir";
@@ -1468,15 +1467,13 @@ dinfo "*** Creating image file ***"
 if [[ $create_early_cpio = yes ]]; then
     echo 1 > "$early_cpio_dir/d/early_cpio"
     # The microcode blob is _before_ the initramfs blob, not after
-    (cd "$early_cpio_dir/d";     find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet >../early.cpio)
-    mv $early_cpio_dir/early.cpio $outfile.$$
+    (cd "$early_cpio_dir/d";     find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet > $outfile)
 fi
 if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \
-    $compress >> "$outfile.$$"; ); then
-    dfatal "dracut: creation of $outfile.$$ failed"
+    $compress >> "$outfile"; ); then
+    dfatal "dracut: creation of $outfile failed"
     exit 1
 fi
-mv -- "$outfile.$$" "$outfile"
 dinfo "*** Creating image file done ***"

 if (( maxloglvl >= 5 )); then

^ permalink raw reply related	[flat|nested] 3+ messages in thread

[parent not found: <53049082.6020909-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]

* Re: [PATCH] use cp to copy early.cpio to /boot for restoring default selinux label
       [not found]     ` <53049082.6020909-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2014-02-20  3:34       ` WANG Chao
  0 siblings, 0 replies; 3+ messages in thread
From: WANG Chao @ 2014-02-20  3:34 UTC (permalink / raw)
  To: Harald Hoyer; +Cc: Dave Young, initramfs-u79uwXL29TY76Z2rM5mHXA

On 02/19/14 at 12:07pm, Harald Hoyer wrote:
> On 02/19/2014 11:18 AM, WANG Chao wrote:
> > We use mv to move early.cpio from /tmp to /boot and early.cpio will
> > retain the file label. But later selinux will reject kexec from
> > accessing this such label under /boot.
> > 
> > What we should do is to copy early.cpio to /boot and the new early.cpio
> > will have a default file label for /boot. So that later selinux will not
> > reject accessing to this file.
> > 
> > Signed-off-by: WANG Chao <chaowang-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> > ---
> >  dracut.sh | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/dracut.sh b/dracut.sh
> > index 5267af5..ddfb760 100755
> > --- a/dracut.sh
> > +++ b/dracut.sh
> > @@ -1469,7 +1469,7 @@ if [[ $create_early_cpio = yes ]]; then
> >      echo 1 > "$early_cpio_dir/d/early_cpio"
> >      # The microcode blob is _before_ the initramfs blob, not after
> >      (cd "$early_cpio_dir/d";     find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet >../early.cpio)
> > -    mv $early_cpio_dir/early.cpio $outfile.$$
> > +    cp $early_cpio_dir/early.cpio $outfile.$$
> >  fi
> >  if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \
> >      $compress >> "$outfile.$$"; ); then
> > 
> 
> What do you think of this patch? It gets rid of any temporary image file.
> That would also help people with space problems in /boot.

That works for me. Thanks for providing the fix.

WANG Chao

> 
> diff --git a/dracut.sh b/dracut.sh
> index 5267af5..a56bc13 100755
> --- a/dracut.sh
> +++ b/dracut.sh
> @@ -808,7 +808,6 @@ fi
>  # clean up after ourselves no matter how we die.
>  trap '
>      ret=$?;
> -    [[ $outfile ]] && [[ -f $outfile.$$ ]] && rm -f -- "$outfile.$$";
>      [[ $keep ]] && echo "Not removing $initdir." >&2 || { [[ $initdir ]] && rm -rf -- "$initdir"; };
>      [[ $keep ]] && echo "Not removing $early_cpio_dir." >&2 || { [[ $early_cpio_dir ]] && rm -Rf -- "$early_cpio_dir"; };
>      [[ $_dlogdir ]] && rm -Rf -- "$_dlogdir";
> @@ -1468,15 +1467,13 @@ dinfo "*** Creating image file ***"
>  if [[ $create_early_cpio = yes ]]; then
>      echo 1 > "$early_cpio_dir/d/early_cpio"
>      # The microcode blob is _before_ the initramfs blob, not after
> -    (cd "$early_cpio_dir/d";     find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet >../early.cpio)
> -    mv $early_cpio_dir/early.cpio $outfile.$$
> +    (cd "$early_cpio_dir/d";     find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet > $outfile)
>  fi
>  if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \
> -    $compress >> "$outfile.$$"; ); then
> -    dfatal "dracut: creation of $outfile.$$ failed"
> +    $compress >> "$outfile"; ); then
> +    dfatal "dracut: creation of $outfile failed"
>      exit 1
>  fi
> -mv -- "$outfile.$$" "$outfile"
>  dinfo "*** Creating image file done ***"
> 
>  if (( maxloglvl >= 5 )); then
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-02-20  3:34 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-19 10:18 [PATCH] use cp to copy early.cpio to /boot for restoring default selinux label WANG Chao
     [not found] ` <20140219101842.GA10403-2coKmSd1Zb6BYdNaKHuJJRcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
2014-02-19 11:07   ` Harald Hoyer
     [not found]     ` <53049082.6020909-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-02-20  3:34       ` WANG Chao

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.