Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-55245

kernel panic when booting an initramfs image that was rebuilt when an IMA rules mandate signature verification

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.6
    • rhel-9.5
    • dracut
    • None
    • dracut-057-79.git20241127.el9
    • No
    • Moderate
    • rhel-bootloader
    • ssg_core_services
    • 24
    • 26
    • 1
    • Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      As found by rhn-support-rcheerla, the kernel panicked when booting an initramfs image that was rebuilt when an IMA rule mandates signature verification. This happens because dracut-install doesn't preserve the IMA signature stored in xattr thus dracut-install failed to run ld command against library files as seen from audit.log,

      type=INTEGRITY_DATA msg=audit(1723529332.273:634): pid=30143 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data cause=IMA-signature-required comm="ld-linux-x86-64" name="/var/tmp/dracut.YsHNHe/initramfs/usr/lib64/libnss_sss.so.2" dev="vda4" ino=8609120 res=0 errno=0UID="root" AUID="root"

      Upstream dracut has already fixed this issue with 3e1d0bc1 ("fix(dracut-install): copy xattr when use clone ioctl").

      Please provide the package NVR for which bug is seen:

      dracut-057-53.git20240104.el9.x86_64

      How reproducible:

      always

      Steps to reproduce

      1. ima-setup --policy=/usr/share/ima/policies/01-appraise-exectuables-and-lib-signatures 
      2. dracut -f
      3. Reboot the system

      Expected results

      The rebuilt initramfs image gets booted successfully.

      Actual results

      The kernel panicked with the following logs,

      [ 2.231837] Run /init as init process
/init: error while loading shared libraries: libsystemd-core-252.so: cannot open shared object file: No such file or directory
[ 2.233049] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00
[ 2.236867] CPU: 2 PID: 1 Comm: init Not tainted 5.14.0-477.el9.x86_64 #1
[ 2.238224] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20240214-7.fc40 02/14/2024
[ 2.240281] Call Trace:
[ 2.240842]  <TASK>
[ 2.243812]  dump_stack_lvl+0x34/0x48
[ 2.244566]  panic+0x107/0x2bb
[ 2.245168]  do_exit.cold+0x15/0x15
[ 2.245930]  do_group_exit+0x2d/0x90
[ 2.246599]  __x64_sys_exit_group+0x14/0x20
[ 2.247395]  do_syscall_64+0x5c/0xf0
[ 2.247962]  ? exit_to_user_mode_prepare+0xef/0x100
[ 2.248862]  ? syscall_exit_to_user_mode+0x19/0x40
[ 2.249890]  ? do_syscall_64+0x6b/0xf0
[ 2.250649]  ? __check_object_size.part.0+0x47/0xd0
[ 2.251649]  ? __pfx_file_free_rcu+0x10/0x10
[ 2.252583]  ? exit_to_user_mode_loop+0xc1/0x130
[ 2.256583]  ? exit_to_user_mode_prepare+0xb9/0x100
[ 2.257645]  ? syscall_exit_to_user_mode+0x19/0x40
[ 2.258627]  ? clear_bhb_loop+0x25/0x80
[ 2.259290]  ? clear_bhb_loop+0x25/0x80
[ 2.260393]  ? clear_bhb_loop+0x25/0x80
[ 2.261171]  ? clear_bhb_loop+0x25/0x80
...

              pvalena@redhat.com Pavel Valena
              coxu@redhat.com Coiby Xu
              dracut maint mailing list dracut maint mailing list
              Frantisek Sumsal Frantisek Sumsal
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: