Accepting request 236026 from home:msmeissn:branches:Base:System

- dracut-fips-module-loading-fixes.patch: bnc#875855
  - adjust FIPS module list
  - on architecture specific modules, failing loading is not
    critical
- ship 98selinux, for people that want to use SELinux.

OBS-URL: https://build.opensuse.org/request/show/236026
OBS-URL: https://build.opensuse.org/package/show/Base:System/dracut?expand=0&rev=153

dracut-fips-module-loading-fixes.patch

@@ -0,0 +1,53 @@
+Index: dracut-037/modules.d/01fips/module-setup.sh
+===================================================================
+--- dracut-037.orig/modules.d/01fips/module-setup.sh
++++ dracut-037/modules.d/01fips/module-setup.sh
+@@ -18,8 +18,12 @@ installkernel() {
+     _fipsmodules="aead aes_generic aes-x86_64 ansi_cprng arc4 blowfish camellia cast6 cbc ccm "
+     _fipsmodules+="chainiv crc32c crct10dif_generic cryptomgr crypto_null ctr cts deflate des des3_ede dm-crypt dm-mod "
+     _fipsmodules+="ecb eseqiv fcrypt gcm ghash_generic hmac khazad lzo md4 md5 michael_mic rmd128 "
+-    _fipsmodules+="rmd160 rmd256 rmd320 rot13 salsa20 seed seqiv serpent sha1 sha224 sha256 sha256_generic "
+-    _fipsmodules+="sha384 sha512 sha512_generic tcrypt tea tnepres twofish wp256 wp384 wp512 xeta xtea xts zlib"
++    _fipsmodules+="rmd160 rmd256 rmd320 salsa20 seed seqiv serpent sha1 sha224 sha256 sha256_generic "
++    _fipsmodules+="sha384 sha512 sha512_generic tcrypt tea tnepres twofish wp256 wp384 wp512 xeta xtea xts zlib "
++    _fipsmodules+="sha512-ssse3 sha1-ssse3 sha256-ssse3 "
++    _fipsmodules+="ghash-clmulni-intel "
++
++    # once it is in the kernel: _fipsmodules+="drbg "
+ 
+     mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
+ 
+@@ -44,7 +48,9 @@ install() {
+         libsoftokn3.chk libfreebl3.so libfreebl3.chk \
+         libssl.so 'hmaccalc/sha512hmac.hmac' libssl.so.10
+ 
+-    inst_multiple -o prelink
++    # we do not use prelink at SUSE
++    #inst_multiple -o prelink
++
+     inst_simple /etc/system-fips
+ }
+ 
+Index: dracut-037/modules.d/01fips/fips.sh
+===================================================================
+--- dracut-037.orig/modules.d/01fips/fips.sh
++++ dracut-037/modules.d/01fips/fips.sh
+@@ -100,6 +100,18 @@ do_fips()
+                     _found=1
+                     break
+                 done </proc/crypto
++                # If we find some hardware specific modules and cannot load them
++                # it is not a problem, proceed.
++                if [ "$_found" = "0" ]; then
++                    if [    "$_module" != "${_module%-intel}"   \
++                        -o  "$_module" != "${_module%-ssse3}"   \
++                        -o  "$_module" != "${_module%-x86_64}"  \
++                        -o  "$_module" != "${_module%z90}"      \
++                    ]; then
++                        _found=1
++                    fi
++                fi
++                
+                 [ "$_found" = "0" ] && return 1
+             fi
+         fi

dracut.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Jun  2 09:07:27 UTC 2014 - meissner@suse.com
+
+- dracut-fips-module-loading-fixes.patch: bnc#875855
+  - adjust FIPS module list
+  - on architecture specific modules, failing loading is not
+    critical
+- ship 98selinux, for people that want to use SELinux.
+
 -------------------------------------------------------------------
 Wed May 28 15:54:26 UTC 2014 - trenn@suse.de
 

dracut.spec

@@ -78,6 +78,7 @@ Patch55:        0042-ibft_autoconfig_param.patch
 Patch56:        0043-fcoe_strip_quotes.patch
 Patch57:        0044-Add_update_bootloader_msg.patch
 Patch58:        0045-add-chown_binary.patch
+Patch59:        dracut-fips-module-loading-fixes.patch
 
 BuildRequires:  asciidoc
 BuildRequires:  bash
@@ -97,10 +98,10 @@ Requires:       pigz
 Requires:       sed
 Requires:       systemd >= 200
 # systemd-sysvinit provides: poweroff, reboot, halt
+Requires:       pixz
 Requires:       systemd-sysvinit
 Requires:       udev > 166
 Requires:       util-linux >= 2.21
-Requires:       pixz
 Recommends:     binutils
 Recommends:     logrotate
 Obsoletes:      mkinitrd < 2.8.2
@@ -171,6 +172,7 @@ and its cryptography during startup.
 %patch56 -p1
 %patch57 -p1
 %patch58 -p1
+%patch59 -p1
 
 %build
 %configure\
@@ -196,11 +198,10 @@ install -m 0755 %{SOURCE2} %{buildroot}%{dracutlibdir}/modules.d/99suse/parse-su
 # remove gentoo specific modules
 rm -fr %{buildroot}%{dracutlibdir}/modules.d/50gensplash
 
-# with systemd IMA and selinux modules do not make sense
+# IMA modules are not supported currently.
 rm -fr %{buildroot}/%{dracutlibdir}/modules.d/96securityfs
 rm -fr %{buildroot}/%{dracutlibdir}/modules.d/97masterkey
 rm -fr %{buildroot}/%{dracutlibdir}/modules.d/98integrity
-rm -fr %{buildroot}/%{dracutlibdir}/modules.d/98selinux
 
 mkdir -p %{buildroot}/boot/dracut
 mkdir -p %{buildroot}%{_localstatedir}/lib/dracut/overlay
@@ -361,6 +362,7 @@ ln -s %{dracutlibdir}/modules.d/45ifcfg/write-ifcfg-redhat.sh %{buildroot}/%{dra
 %{dracutlibdir}/modules.d/97biosdevname
 %{dracutlibdir}/modules.d/98ecryptfs
 %{dracutlibdir}/modules.d/98pollcdrom
+%{dracutlibdir}/modules.d/98selinux
 %{dracutlibdir}/modules.d/98syslog
 %{dracutlibdir}/modules.d/98systemd
 %{dracutlibdir}/modules.d/98usrmount