dracut-027-39.git20130425

- fix shutdown, if /dev/console is not writeable
- fixed fips mode
Resolves: rhbz#956521

0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch

@@ -0,0 +1,22 @@
+From 3be5d63c2fe24252fff92ea9c0ad43d4c7e579bd Mon Sep 17 00:00:00 2001
+From: Harald Hoyer <harald@redhat.com>
+Date: Fri, 19 Apr 2013 15:00:20 +0200
+Subject: [PATCH] shutdown: redirect output to /dev/console only if it exists
+
+---
+ modules.d/99shutdown/shutdown.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules.d/99shutdown/shutdown.sh b/modules.d/99shutdown/shutdown.sh
+index 6457cb0..f7b8509 100755
+--- a/modules.d/99shutdown/shutdown.sh
++++ b/modules.d/99shutdown/shutdown.sh
+@@ -8,7 +8,7 @@
+ # Harald Hoyer <harald@redhat.com>
+ ACTION="$1"
+ 
+-exec </dev/console >>/dev/console 2>>/dev/console
++[ test -w /dev/console ] && exec </dev/console >>/dev/console 2>>/dev/console
+ 
+ export TERM=linux
+ export PATH=/usr/sbin:/usr/bin:/sbin:/bin

0037-fixup-3be5d63c2f.patch

@@ -0,0 +1,23 @@
+From ab42fe38fd1672f83cd3500771caf321ae25080d Mon Sep 17 00:00:00 2001
+From: Harald Hoyer <harald@redhat.com>
+Date: Fri, 19 Apr 2013 15:08:16 +0200
+Subject: [PATCH] fixup 3be5d63c2f
+
+either test or []
+---
+ modules.d/99shutdown/shutdown.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules.d/99shutdown/shutdown.sh b/modules.d/99shutdown/shutdown.sh
+index f7b8509..d6a532b 100755
+--- a/modules.d/99shutdown/shutdown.sh
++++ b/modules.d/99shutdown/shutdown.sh
+@@ -8,7 +8,7 @@
+ # Harald Hoyer <harald@redhat.com>
+ ACTION="$1"
+ 
+-[ test -w /dev/console ] && exec </dev/console >>/dev/console 2>>/dev/console
++[ -w /dev/console ] && exec </dev/console >>/dev/console 2>>/dev/console
+ 
+ export TERM=linux
+ export PATH=/usr/sbin:/usr/bin:/sbin:/bin

0038-fixed-fips-mode.patch

@@ -0,0 +1,131 @@
+From 6f4c2dada400f455cf7ee0afcd6bf41974c712d4 Mon Sep 17 00:00:00 2001
+From: Harald Hoyer <harald@redhat.com>
+Date: Thu, 25 Apr 2013 19:44:01 +0200
+Subject: [PATCH] fixed fips mode
+
+- preserve timestamps
+- copy /lib*/hmaccalc files
+- run sha512hmac after kernel module loading
+- add more fips kernel modules
+---
+ dracut.sh                        |  2 ++
+ install/dracut-install.c         | 10 +++++++++-
+ modules.d/01fips/fips.sh         |  7 ++++---
+ modules.d/01fips/module-setup.sh |  8 +++++---
+ modules.d/99base/dracut-lib.sh   |  2 +-
+ 5 files changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/dracut.sh b/dracut.sh
+index 586172c..82b4a5f 100755
+--- a/dracut.sh
++++ b/dracut.sh
+@@ -1179,6 +1179,8 @@ if [[ $do_strip = yes ]] ; then
+             -executable -not -path '*/lib/modules/*.ko' -print0 \
+             | while read -r -d $'\0' f; do
+             if ! [[ -e "${f%/*}/.${f##*/}.hmac" ]] \
++                && ! [[ -e "/lib/hmaccalc/${f##*/}.hmac" ]] \
++                && ! [[ -e "/lib64/hmaccalc/${f##*/}.hmac" ]] \
+                 && ! [[ -e "/lib/fipscheck/${f##*/}.hmac" ]] \
+                 && ! [[ -e "/lib64/fipscheck/${f##*/}.hmac" ]]; then
+                 echo -n "$f"; echo -n -e "\000"
+diff --git a/install/dracut-install.c b/install/dracut-install.c
+index 2d0412c..2fad6df 100644
+--- a/install/dracut-install.c
++++ b/install/dracut-install.c
+@@ -214,8 +214,14 @@ static int cp(const char *src, const char *dst)
+                 ret = clone_file(dest_desc, source_desc);
+                 close(source_desc);
+                 if (ret == 0) {
++                        struct timeval tv[2];
+                         if (fchown(dest_desc, sb.st_uid, sb.st_gid) != 0)
+                                 fchown(dest_desc, -1, sb.st_gid);
++                        tv[0].tv_sec = sb.st_atime;
++                        tv[0].tv_usec = 0;
++                        tv[1].tv_sec = sb.st_mtime;
++                        tv[1].tv_usec = 0;
++                        futimes(dest_desc, tv);
+                         close(dest_desc);
+                         return ret;
+                 }
+@@ -230,7 +236,7 @@ static int cp(const char *src, const char *dst)
+  normal_copy:
+         pid = fork();
+         if (pid == 0) {
+-                execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode", "-fL", src, dst, NULL);
++                execlp("cp", "cp", "--reflink=auto", "--sparse=auto", "--preserve=mode,timestamps", "-fL", src, dst, NULL);
+                 _exit(EXIT_FAILURE);
+         }
+ 
+@@ -350,6 +356,8 @@ static int hmac_install(const char *src, const char *dst, const char *hmacpath)
+ 	if (!hmacpath) {
+                 hmac_install(src, dst, "/lib/fipscheck");
+                 hmac_install(src, dst, "/lib64/fipscheck");
++                hmac_install(src, dst, "/lib/hmaccalc");
++                hmac_install(src, dst, "/lib64/hmaccalc");
+         }
+ 
+         srcpath[dlen] = '\0';
+diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
+index 48ad0e6..ce3e49c 100755
+--- a/modules.d/01fips/fips.sh
++++ b/modules.d/01fips/fips.sh
+@@ -51,7 +51,6 @@ mount_boot()
+ 
+ do_fips()
+ {
+-    info "Checking integrity of kernel"
+     KERNEL=$(uname -r)
+ 
+     if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then
+@@ -59,8 +58,6 @@ do_fips()
+         return 1
+     fi
+ 
+-    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
+-
+     FIPSMODULES=$(cat /etc/fipsmodules)
+ 
+     info "Loading and integrity checking all crypto modules"
+@@ -72,6 +69,10 @@ do_fips()
+     info "Self testing crypto algorithms"
+     modprobe tcrypt || return 1
+     rmmod tcrypt
++
++    info "Checking integrity of kernel"
++    sha512hmac -c "/boot/.vmlinuz-${KERNEL}.hmac" || return 1
++
+     info "All initrd crypto checks done"
+ 
+     > /tmp/fipsdone
+diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
+index 8953132..a7f5be8 100755
+--- a/modules.d/01fips/module-setup.sh
++++ b/modules.d/01fips/module-setup.sh
+@@ -12,9 +12,11 @@ depends() {
+ 
+ installkernel() {
+     local _fipsmodules _mod
+-    _fipsmodules="aead aes_generic xts aes-x86_64 ansi_cprng cbc ccm chainiv ctr gcm ghash_generic"
+-    _fipsmodules+=" des deflate ecb eseqiv hmac seqiv sha256 sha256_generic sha512 sha512_generic"
+-    _fipsmodules+=" cryptomgr crypto_null tcrypt dm-mod dm-crypt lzo"
++    _fipsmodules="aead aes_generic aes-x86_64 ansi_cprng arc4 blowfish camellia cast6 cbc ccm "
++    _fipsmodules+="chainiv crc32c cryptomgr crypto_null ctr cts deflate des des3_ede dm-crypt dm-mod "
++    _fipsmodules+="ecb eseqiv fcrypt gcm ghash_generic hmac khazad lzo md4 md5 michael_mic rmd128 "
++    _fipsmodules+="rmd160 rmd256 rmd320 rot13 salsa20 seed seqiv serpent sha1 sha224 sha256 sha256_generic "
++    _fipsmodules+="sha384 sha512 sha512_generic tcrypt tea tnepres twofish wp256 wp384 wp512 xeta xtea xts zlib"
+ 
+     mkdir -m 0755 -p "${initdir}/etc/modprobe.d"
+ 
+diff --git a/modules.d/99base/dracut-lib.sh b/modules.d/99base/dracut-lib.sh
+index ae79a82..9bd25f4 100755
+--- a/modules.d/99base/dracut-lib.sh
++++ b/modules.d/99base/dracut-lib.sh
+@@ -384,7 +384,7 @@ die() {
+         echo "warn dracut: FATAL: \"$*\"";
+         echo "warn dracut: Refusing to continue";
+     } >> $hookdir/emergency/01-die.sh
+-
++    [ -d /run/initramfs ] || mkdir -p /run/initramfs
+     > /run/initramfs/.die
+     emergency_shell
+     exit 1

dracut.spec

@@ -10,7 +10,7 @@
 
 Name: dracut
 Version: 027
-Release: 36.git20130418%{?dist}
+Release: 39.git20130425%{?dist}
 
 Summary: Initramfs generator using udev
 %if 0%{?fedora} || 0%{?rhel}
@@ -64,6 +64,9 @@ Patch32: 0032-.gitignore-ignore-more-files.patch
 Patch33: 0033-Makefile-remove-dracut-version.sh-on-clean.patch
 Patch34: 0034-base-dracut-lib.sh-do-not-setdebug-if-not-in-initram.patch
 Patch35: 0035-dracut-install-error-out-if-ldd-reports-no-execution.patch
+Patch36: 0036-shutdown-redirect-output-to-dev-console-only-if-it-e.patch
+Patch37: 0037-fixup-3be5d63c2f.patch
+Patch38: 0038-fixed-fips-mode.patch
 
 
 BuildRequires: dash bash git
@@ -472,6 +475,11 @@ rm -rf $RPM_BUILD_ROOT
 %{dracutlibdir}/dracut.conf.d/02-norescue.conf
 
 %changelog
+* Thu Apr 25 2013 Harald Hoyer <harald@redhat.com> 027-39.git20130425
+- fix shutdown, if /dev/console is not writeable
+- fixed fips mode
+Resolves: rhbz#956521
+
 * Thu Apr 18 2013 Harald Hoyer <harald@redhat.com> 027-36.git20130418
 - fix initramfs creation on noexec tmpdir
 Resolves: rhbz#953426