rpms/grub2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

grub.cfg: Fix rpm grub.cfg permission and verification issues

Browse Source 
Fix the rpm verificaton issues (see NOTE below) introduced in 2.06-83 [1].
On the other hand, 2.06-85 [2] introduced a change on grub2-mkconfig where
it prevents overwritting `${EFI_HOME}/grub.cfg` with side effects on the
`%posttrans` scriptlet, where it tries to recreate it in case this
file does not exist but due to [2] the `${EFI}/grub.cfg` file is never
created. Fix the `%posttrans` code with the logic but applied to
${GRUB_HOME}/grub.cfg. On the same scriplet, make sure
${EFI_HOME}/grub.cfg is present before grepping into it. The changes also
fix the issue reported on RHEL-45870 where now /boot/grub2/grub.cfg
conf file has the right permission (-rw-------).

NOTE: With 2.06-83 release, the grub.cfg configuration files regressed on
file's mode (M) verification

    [root@localhost ~]# rpm -Va
    S.5....T.  c /etc/ssh/sshd_config
    .M.......  c /boot/efi/EFI/redhat/grub.cfg
    .M.......  c /boot/grub2/grub.cfg

The following change fixes the issues above as seen in log

    [root@localhost ~]# rpm -Va
    S.5....T.  c /etc/ssh/sshd_config

[1] https://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-9-main&id=694ab652e3443719e3876e3d183e59b2f9e055fd
[2] https://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-9-main&id=0185426fb4d693307cda0c7740e9dcf9907cc146

Resolves: #RHEL-45870
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
This commit is contained in:
Leo Sandoval 2024-07-30 16:06:07 -06:00
parent 032b849f1c
commit 73fed98a8a
2 changed files with 20 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
grub.macros
View File

@ -589,7 +589,8 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig \
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \ touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \
ln -sf ../default/grub \\\ ln -sf ../default/grub \\\
${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \ ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \
touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ touch grub.cfg \
install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/ \
ln -s ../boot/%{name}/grub.cfg \\\ ln -s ../boot/%{name}/grub.cfg \\\
${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}.cfg \ ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}.cfg \
%{nil} %{nil}
@ -634,7 +635,7 @@ ln -s ../boot/%{name}/grub.cfg \\\
%attr(0700,root,root)/boot/%{name}/fonts \ %attr(0700,root,root)/boot/%{name}/fonts \
%dir %attr(0700,root,root)/boot/loader/entries \ %dir %attr(0700,root,root)/boot/loader/entries \
%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \ %ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \
%ghost %config(noreplace) %verify(not mtime) %attr(0600,root,root)%{efi_esp_dir}/grub.cfg \ %ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \
%config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv \ %config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
%{expand:%if 0%{?without_efi_modules} \ %{expand:%if 0%{?without_efi_modules} \

23
grub2.spec
View File

@ -335,19 +335,22 @@ if ! mountpoint -q ${ESP_PATH}; then
exit 0 # no ESP mounted, nothing to do exit 0 # no ESP mounted, nothing to do
fi fi
if test ! -f ${EFI_HOME}/grub.cfg; then if test ! -f ${GRUB_HOME}/grub.cfg; then
# there's no config in ESP, create one # there's no config in GRUB home, create one
grub2-mkconfig -o ${EFI_HOME}/grub.cfg grub2-mkconfig -o ${GRUB_HOME}/grub.cfg
cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
fi fi
# need to move grub.cfg to correct dir for major version upgrade # make sure grub.cfg is present before grepping it
if ! grep -q "configfile" ${EFI_HOME}/grub.cfg; then if test -f ${EFI_HOME}/grub.cfg; then
# need to move grub.cfg to correct dir for major version upgrade
if ! grep -q "configfile" ${EFI_HOME}/grub.cfg; then
cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/ cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
fi chmod 0600 ${GRUB_HOME}/grub.cfg
fi
if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then
exit 0 # already unified, nothing to do exit 0 # already unified, nothing to do
fi
fi fi
# create a stub grub2 config in EFI # create a stub grub2 config in EFI
@ -537,6 +540,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif %endif
%changelog %changelog
* Wed Jul 31 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-88
- grub.cfg: Fix rpm grub.cfg verification issues
- Resolves: #RHEL-45870
* Wed Jul 31 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-87 * Wed Jul 31 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-87
- grub2-mkconfig: Simplify os_name detection - grub2-mkconfig: Simplify os_name detection
- Resolves: #RHEL-32099 - Resolves: #RHEL-32099