* [PATCH 1/4] Just look for cryptroot instead of /sbin/cryptroot
@ 2010-06-02 12:07 Victor Lowther
[not found] ` <4b22ffbe9ef3f55ac4fad54bd58f9cf9fc345b22.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 8+ messages in thread
From: Victor Lowther @ 2010-06-02 12:07 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
We know what the path is and what it contains in the initrd, and
not everyone puts cryptroot in /sbin
---
modules.d/90crypt/cryptroot-ask.sh | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
index 13487c8..2f39667 100755
--- a/modules.d/90crypt/cryptroot-ask.sh
+++ b/modules.d/90crypt/cryptroot-ask.sh
@@ -68,7 +68,7 @@ if [ $ask -gt 0 ]; then
# flock against other interactive activities
{ flock -s 9;
echo -n "$device ($luksname) is password protected"
- /sbin/cryptsetup luksOpen -T1 $1 $luksname
+ cryptsetup luksOpen -T1 $1 $luksname
} 9>/.console.lock
fi
--
1.7.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/4] Have cryptroot-ask load dm_crypt if needed.
[not found] ` <4b22ffbe9ef3f55ac4fad54bd58f9cf9fc345b22.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2010-06-02 12:07 ` Victor Lowther
[not found] ` <208dca51c09f6dc8031384a7e4e70481aded6c03.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-06-02 12:07 ` [PATCH 4/4] Arch handles loading modules from udev in a somewhat customized manner Victor Lowther
` (2 subsequent siblings)
3 siblings, 1 reply; 8+ messages in thread
From: Victor Lowther @ 2010-06-02 12:07 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
---
modules.d/90crypt/cryptroot-ask.sh | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
index 2f39667..430155a 100755
--- a/modules.d/90crypt/cryptroot-ask.sh
+++ b/modules.d/90crypt/cryptroot-ask.sh
@@ -9,6 +9,9 @@
# we already asked for this device
[ -f /tmp/cryptroot-asked-$2 ] && exit 0
+# load dm_crypt if it is not already loaded
+[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
+
. /lib/dracut-lib.sh
# default luksname - luks-UUID
--
1.7.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/4] Arch handles loading modules from udev in a somewhat customized manner.
[not found] ` <4b22ffbe9ef3f55ac4fad54bd58f9cf9fc345b22.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-06-02 12:07 ` [PATCH 2/4] Have cryptroot-ask load dm_crypt if needed Victor Lowther
@ 2010-06-02 12:07 ` Victor Lowther
[not found] ` <f56b47cd2bdff0abe36728917c893c89c3dff406.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-06-02 12:07 ` [PATCH 3/4] Do not worry at all about selinux stuff if we cannot find load_policy Victor Lowther
2010-06-09 15:36 ` [PATCH 1/4] Just look for cryptroot instead of /sbin/cryptroot Harald Hoyer
3 siblings, 1 reply; 8+ messages in thread
From: Victor Lowther @ 2010-06-02 12:07 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
---
modules.d/95udev-rules/install | 1 +
modules.d/95udev-rules/load-modules.sh | 6 ++++++
2 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/modules.d/95udev-rules/install b/modules.d/95udev-rules/install
index 23693fe..e89acb5 100755
--- a/modules.d/95udev-rules/install
+++ b/modules.d/95udev-rules/install
@@ -46,6 +46,7 @@ pcmcia-check-broken-cis \
[ -e /lib/udev/$i ] && dracut_install /lib/udev/$i
done
+[ -f /etc/arch-release ] && inst "$moddir/load-modules.sh" /lib/udev/load-modules.sh
if ldd $(find_binary udevd) |grep -q /lib64/; then
dracut_install /lib64/libnss_files*
diff --git a/modules.d/95udev-rules/load-modules.sh b/modules.d/95udev-rules/load-modules.sh
new file mode 100755
index 0000000..b592964
--- /dev/null
+++ b/modules.d/95udev-rules/load-modules.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+# Implement blacklisting for udev-loaded modules
+
+modprobe -b "$@"
+
+# vim: set et ts=4:
--
1.7.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/4] Do not worry at all about selinux stuff if we cannot find load_policy
[not found] ` <4b22ffbe9ef3f55ac4fad54bd58f9cf9fc345b22.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-06-02 12:07 ` [PATCH 2/4] Have cryptroot-ask load dm_crypt if needed Victor Lowther
2010-06-02 12:07 ` [PATCH 4/4] Arch handles loading modules from udev in a somewhat customized manner Victor Lowther
@ 2010-06-02 12:07 ` Victor Lowther
[not found] ` <d0ba9e0f511ab3e4b0cca6d3d0551ae7a881385f.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-06-09 15:36 ` [PATCH 1/4] Just look for cryptroot instead of /sbin/cryptroot Harald Hoyer
3 siblings, 1 reply; 8+ messages in thread
From: Victor Lowther @ 2010-06-02 12:07 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
Forcing users to pass selinux=0 when operating on a system that does not and
never has used selinux is really annoying.
---
modules.d/99base/selinux-loadpolicy.sh | 124 +++++++++++++++----------------
1 files changed, 60 insertions(+), 64 deletions(-)
diff --git a/modules.d/99base/selinux-loadpolicy.sh b/modules.d/99base/selinux-loadpolicy.sh
dissimilarity index 68%
index 7db9f8c..5792410 100755
--- a/modules.d/99base/selinux-loadpolicy.sh
+++ b/modules.d/99base/selinux-loadpolicy.sh
@@ -1,64 +1,60 @@
-#!/bin/sh
-# FIXME: load selinux policy. this should really be done after we switchroot
-
-rd_load_policy()
-{
- # If SELinux is disabled exit now
- getarg "selinux=0" > /dev/null && return 0
-
- SELINUX="enforcing"
- [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"
-
- # Check whether SELinux is in permissive mode
- permissive=0
- getarg "enforcing=0" > /dev/null
- if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then
- permissive=1
- fi
-
- # Attempt to load SELinux Policy
- if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then
- ret=0
- info "Loading SELinux policy"
- {
- # load_policy does mount /proc and /selinux in
- # libselinux,selinux_init_load_policy()
- if [ -x "$NEWROOT/sbin/load_policy" ]; then
- chroot "$NEWROOT" /sbin/load_policy -i
- ret=$?
- else
- chroot "$NEWROOT" /usr/sbin/load_policy -i
- ret=$?
- fi
- } 2>&1 | vinfo
-
- if [ "$SELINUX" = "disabled" ]; then
- return 0;
- fi
-
- if [ $ret -eq 0 -o $ret -eq 2 ]; then
- # If machine requires a relabel, force to permissive mode
- [ -e "$NEWROOT"/.autorelabel ] && ( echo 0 > "$NEWROOT"/selinux/enforce )
- mount --bind /dev "$NEWROOT/dev"
- chroot "$NEWROOT" /sbin/restorecon -R /dev
- return 0
- fi
-
- warn "Initial SELinux policy load failed."
- if [ $ret -eq 3 -o $permissive -eq 0 ]; then
- warn "Machine in enforcing mode."
- warn "Not continuing"
- sleep 100d
- exit 1
- fi
- return 0
- elif [ $permissive -eq 0 -a "$SELINUX" != "disabled" ]; then
- warn "Machine in enforcing mode and cannot execute load_policy."
- warn "To disable selinux, add selinux=0 to the kernel command line."
- warn "Not continuing"
- sleep 100d
- exit 1
- fi
-}
-
-rd_load_policy
+#!/bin/sh
+# FIXME: load selinux policy. this should really be done after we switchroot
+
+rd_load_policy()
+{
+ # If SELinux is disabled exit now
+ getarg "selinux=0" > /dev/null && return 0
+ # if we cannot find load_policy, just return.
+ [ -x "$NEWROOT/usr/sbin/load_policy" ] || \
+ [ -x "$NEWROOT/sbin/load_policy" ] || \
+ return 0
+
+ SELINUX="enforcing"
+ [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"
+
+ # Check whether SELinux is in permissive mode
+ permissive=0
+ getarg "enforcing=0" > /dev/null
+ if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then
+ permissive=1
+ fi
+
+ # Attempt to load SELinux Policy
+ ret=0
+ info "Loading SELinux policy"
+ {
+ # load_policy does mount /proc and /selinux in
+ # libselinux,selinux_init_load_policy()
+ if [ -x "$NEWROOT/sbin/load_policy" ]; then
+ chroot "$NEWROOT" /sbin/load_policy -i
+ ret=$?
+ else
+ chroot "$NEWROOT" /usr/sbin/load_policy -i
+ ret=$?
+ fi
+ } 2>&1 | vinfo
+
+ if [ "$SELINUX" = "disabled" ]; then
+ return 0;
+ fi
+
+ if [ $ret -eq 0 -o $ret -eq 2 ]; then
+ # If machine requires a relabel, force to permissive mode
+ [ -e "$NEWROOT"/.autorelabel ] && ( echo 0 > "$NEWROOT"/selinux/enforce )
+ mount --bind /dev "$NEWROOT/dev"
+ chroot "$NEWROOT" /sbin/restorecon -R /dev
+ return 0
+ fi
+
+ warn "Initial SELinux policy load failed."
+ if [ $ret -eq 3 -o $permissive -eq 0 ]; then
+ warn "Machine in enforcing mode."
+ warn "Not continuing"
+ sleep 100d
+ exit 1
+ fi
+ return 0
+}
+
+rd_load_policy
--
1.7.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/4] Just look for cryptroot instead of /sbin/cryptroot
[not found] ` <4b22ffbe9ef3f55ac4fad54bd58f9cf9fc345b22.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
` (2 preceding siblings ...)
2010-06-02 12:07 ` [PATCH 3/4] Do not worry at all about selinux stuff if we cannot find load_policy Victor Lowther
@ 2010-06-09 15:36 ` Harald Hoyer
3 siblings, 0 replies; 8+ messages in thread
From: Harald Hoyer @ 2010-06-09 15:36 UTC (permalink / raw)
To: Victor Lowther; +Cc: initramfs-u79uwXL29TY76Z2rM5mHXA
On 06/02/2010 02:07 PM, Victor Lowther wrote:
> We know what the path is and what it contains in the initrd, and
> not everyone puts cryptroot in /sbin
> ---
> modules.d/90crypt/cryptroot-ask.sh | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
> index 13487c8..2f39667 100755
> --- a/modules.d/90crypt/cryptroot-ask.sh
> +++ b/modules.d/90crypt/cryptroot-ask.sh
> @@ -68,7 +68,7 @@ if [ $ask -gt 0 ]; then
> # flock against other interactive activities
> { flock -s 9;
> echo -n "$device ($luksname) is password protected"
> - /sbin/cryptsetup luksOpen -T1 $1 $luksname
> + cryptsetup luksOpen -T1 $1 $luksname
> } 9>/.console.lock
> fi
>
pushed
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/4] Have cryptroot-ask load dm_crypt if needed.
[not found] ` <208dca51c09f6dc8031384a7e4e70481aded6c03.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2010-06-09 15:36 ` Harald Hoyer
0 siblings, 0 replies; 8+ messages in thread
From: Harald Hoyer @ 2010-06-09 15:36 UTC (permalink / raw)
To: Victor Lowther; +Cc: initramfs-u79uwXL29TY76Z2rM5mHXA
On 06/02/2010 02:07 PM, Victor Lowther wrote:
> ---
> modules.d/90crypt/cryptroot-ask.sh | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
> index 2f39667..430155a 100755
> --- a/modules.d/90crypt/cryptroot-ask.sh
> +++ b/modules.d/90crypt/cryptroot-ask.sh
> @@ -9,6 +9,9 @@
> # we already asked for this device
> [ -f /tmp/cryptroot-asked-$2 ]&& exit 0
>
> +# load dm_crypt if it is not already loaded
> +[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
> +
> . /lib/dracut-lib.sh
>
> # default luksname - luks-UUID
pushed
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 4/4] Arch handles loading modules from udev in a somewhat customized manner.
[not found] ` <f56b47cd2bdff0abe36728917c893c89c3dff406.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2010-06-09 15:37 ` Harald Hoyer
0 siblings, 0 replies; 8+ messages in thread
From: Harald Hoyer @ 2010-06-09 15:37 UTC (permalink / raw)
To: Victor Lowther; +Cc: initramfs-u79uwXL29TY76Z2rM5mHXA
On 06/02/2010 02:07 PM, Victor Lowther wrote:
> ---
> modules.d/95udev-rules/install | 1 +
> modules.d/95udev-rules/load-modules.sh | 6 ++++++
> 2 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/modules.d/95udev-rules/install b/modules.d/95udev-rules/install
> index 23693fe..e89acb5 100755
> --- a/modules.d/95udev-rules/install
> +++ b/modules.d/95udev-rules/install
> @@ -46,6 +46,7 @@ pcmcia-check-broken-cis \
> [ -e /lib/udev/$i ]&& dracut_install /lib/udev/$i
> done
>
> +[ -f /etc/arch-release ]&& inst "$moddir/load-modules.sh" /lib/udev/load-modules.sh
>
> if ldd $(find_binary udevd) |grep -q /lib64/; then
> dracut_install /lib64/libnss_files*
> diff --git a/modules.d/95udev-rules/load-modules.sh b/modules.d/95udev-rules/load-modules.sh
> new file mode 100755
> index 0000000..b592964
> --- /dev/null
> +++ b/modules.d/95udev-rules/load-modules.sh
> @@ -0,0 +1,6 @@
> +#!/bin/sh
> +# Implement blacklisting for udev-loaded modules
> +
> +modprobe -b "$@"
> +
> +# vim: set et ts=4:
pushed
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 3/4] Do not worry at all about selinux stuff if we cannot find load_policy
[not found] ` <d0ba9e0f511ab3e4b0cca6d3d0551ae7a881385f.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2010-06-09 15:38 ` Harald Hoyer
0 siblings, 0 replies; 8+ messages in thread
From: Harald Hoyer @ 2010-06-09 15:38 UTC (permalink / raw)
To: Victor Lowther; +Cc: initramfs-u79uwXL29TY76Z2rM5mHXA
On 06/02/2010 02:07 PM, Victor Lowther wrote:
> Forcing users to pass selinux=0 when operating on a system that does not and
> never has used selinux is really annoying.
...
hmm, I moved selinux to a separate module and will think of another mechanism
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-06-09 15:38 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-06-02 12:07 [PATCH 1/4] Just look for cryptroot instead of /sbin/cryptroot Victor Lowther
[not found] ` <4b22ffbe9ef3f55ac4fad54bd58f9cf9fc345b22.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-06-02 12:07 ` [PATCH 2/4] Have cryptroot-ask load dm_crypt if needed Victor Lowther
[not found] ` <208dca51c09f6dc8031384a7e4e70481aded6c03.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-06-09 15:36 ` Harald Hoyer
2010-06-02 12:07 ` [PATCH 4/4] Arch handles loading modules from udev in a somewhat customized manner Victor Lowther
[not found] ` <f56b47cd2bdff0abe36728917c893c89c3dff406.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-06-09 15:37 ` Harald Hoyer
2010-06-02 12:07 ` [PATCH 3/4] Do not worry at all about selinux stuff if we cannot find load_policy Victor Lowther
[not found] ` <d0ba9e0f511ab3e4b0cca6d3d0551ae7a881385f.1275480426.git.victor.lowther-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-06-09 15:38 ` Harald Hoyer
2010-06-09 15:36 ` [PATCH 1/4] Just look for cryptroot instead of /sbin/cryptroot Harald Hoyer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.