-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.3.0
-
None
-
dracut-057-70.git20240819.el9
-
No
-
Moderate
-
rhel-sst-cs-plumbers
-
ssg_core_services
-
26
-
1
-
Dev ack
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
Manual
-
-
x86_64
-
None
What were you trying to do that didn't work?
Due to STIG recommendations, customer has set umask to 0027. While their /etc/machine-id has permissions 444, rebuilding the initramfs causes the /etc/machine-id in the initramfs to have more restrictive permissions; in reproducing, the permissions become 640 but the customer's initramfs is reliably 440. This causes DBus Broker to fail in the initramfs which cascades to other services failing to start. In the customer's case, this leads to nm-initrd to fail preventing the systems from decrypting LUKs with a Tang server and causing boot failures without manual intervention.
Please provide the package NVR for which bug is seen:
[root@r9 ~]# dnf list --installed | grep dracut dracut.x86_64 057-53.git20240104.el9 @rhel-9-for-x86_64-baseos-rpms dracut-config-generic.x86_64 057-53.git20240104.el9 @rhel-9-for-x86_64-baseos-rpms dracut-config-rescue.x86_64 057-53.git20240104.el9 @rhel-9-for-x86_64-baseos-rpms dracut-network.x86_64 057-53.git20240104.el9 @rhel-9-for-x86_64-baseos-rpms dracut-squash.x86_64 057-53.git20240104.el9 @rhel-9-for-x86_64-baseos-rpms
How reproducible:
Always
Steps to reproduce
- [root@r9 ~]# grubby --update-kernel=ALL --args="console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 rd.neednet=1 rd.break=mount rd.shell"
-
- Remove whatever is not needed for you. DBus Broker will still break regardless if rd.neednet=1 is added, and the other parameters make it easier to observe the errors.
- [root@r9 ~]# umask 0027
- Either of the following steps reliably reproduce the issue;
- [root@r9 ~]# dnf install dracut-config-generic -y && dracut -f --regenerate-all
- [root@r9 ~]# dracut -f --regenerate-all --no-hostonly
- Check /etc/machine-id in the initramfs against the /etc/machine-id on the system
[root@r9 ~]# lsinitrd | grep --fixed-strings 'etc/machine-id'
-rw-r----- 1 root root 0 Jan 3 2024 etc/machine-id
[root@r9 ~]# ll /etc/machine-id
-r--r--r--. 1 root root 33 May 29 15:16 /etc/machine-id
- Reboot and monitor the console
Memory KASLR using RDRAND RDTSC...
init_cea_offsets KASLR using RDRAND RDTSC...
Poking KASLR using RDRAND RDTSC...
Starting D-Bus System Message Bus...
[ OK ] Started Show Plymouth Boot Screen.
[ OK ] Started Forward Password R…s to Plymouth Directory Watch.
[ OK ] Reached target Local Encrypted Volumes.
[ OK ] Reached target Path Units.
[ OK ] Started D-Bus System Message Bus.
Starting D-Bus System Message Bus...
[ OK ] Started D-Bus System Message Bus.
Starting D-Bus System Message Bus...
[ OK ] Started D-Bus System Message Bus.
Starting D-Bus System Message Bus...
[ OK ] Started D-Bus System Message Bus.
Starting D-Bus System Message Bus...
[ OK ] Started D-Bus System Message Bus.
[FAILED] Failed to start D-Bus System Message Bus.
See 'systemctl status dbus-broker.service' for details.
[FAILED] Failed to start nm-initrd.service.
See 'systemctl status nm-initrd.service' for details.
[DEPEND] Dependency failed for nm-wait-online-initrd.service.
[ OK ] Reached target Network.
Starting dracut initqueue hook...
[ OK ] Stopped nm-initrd.service.
[ OK ] Listening on D-Bus System Message Bus Socket.
Expected results
/etc/machine-id retains 444 permissions so DBus Broker works
Actual results
/etc/machine-id receives more restrictive permissions leading to DBus Broker breaking
- links to
-
RHBA-2024:137511
dracut bug fix and enhancement update
