[PATCH 1/4] Just look for cryptroot instead of /sbin/cryptroot

[PATCH 1/4] Just look for cryptroot instead of /sbin/cryptroot

[Victor Lowther]

We know what the path is and what it contains in the initrd, and
not everyone puts cryptroot in /sbin
---
 modules.d/90crypt/cryptroot-ask.sh |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
index 13487c8..2f39667 100755
--- a/modules.d/90crypt/cryptroot-ask.sh
+++ b/modules.d/90crypt/cryptroot-ask.sh
@@ -68,7 +68,7 @@ if [ $ask -gt 0 ]; then
     # flock against other interactive activities
     { flock -s 9; 
 	echo -n "$device ($luksname) is password protected"
-	/sbin/cryptsetup luksOpen -T1 $1 $luksname 
+	cryptsetup luksOpen -T1 $1 $luksname 
     } 9>/.console.lock
 fi
 
-- 
1.7.1

[PATCH 2/4] Have cryptroot-ask load dm_crypt if needed.

[Victor Lowther]

---
 modules.d/90crypt/cryptroot-ask.sh |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
index 2f39667..430155a 100755
--- a/modules.d/90crypt/cryptroot-ask.sh
+++ b/modules.d/90crypt/cryptroot-ask.sh
@@ -9,6 +9,9 @@
 # we already asked for this device
 [ -f /tmp/cryptroot-asked-$2 ] && exit 0
 
+# load dm_crypt if it is not already loaded
+[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
+
 . /lib/dracut-lib.sh
 
 # default luksname - luks-UUID
-- 
1.7.1

[PATCH 4/4] Arch handles loading modules from udev in a somewhat customized manner.

[Victor Lowther]

---
 modules.d/95udev-rules/install         |    1 +
 modules.d/95udev-rules/load-modules.sh |    6 ++++++
 2 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/modules.d/95udev-rules/install b/modules.d/95udev-rules/install
index 23693fe..e89acb5 100755
--- a/modules.d/95udev-rules/install
+++ b/modules.d/95udev-rules/install
@@ -46,6 +46,7 @@ pcmcia-check-broken-cis \
     [ -e /lib/udev/$i ] && dracut_install /lib/udev/$i
 done
 
+[ -f /etc/arch-release ] && inst "$moddir/load-modules.sh" /lib/udev/load-modules.sh
 
 if ldd $(find_binary udevd) |grep -q /lib64/; then
     dracut_install /lib64/libnss_files*
diff --git a/modules.d/95udev-rules/load-modules.sh b/modules.d/95udev-rules/load-modules.sh
new file mode 100755
index 0000000..b592964
--- /dev/null
+++ b/modules.d/95udev-rules/load-modules.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+# Implement blacklisting for udev-loaded modules
+
+modprobe -b "$@"
+
+# vim: set et ts=4:
-- 
1.7.1

[PATCH 3/4] Do not worry at all about selinux stuff if we cannot find load_policy

[Victor Lowther]

Forcing users to pass selinux=0 when operating on a system that does not and
never has used selinux is really annoying.
---
 modules.d/99base/selinux-loadpolicy.sh |  124 +++++++++++++++----------------
 1 files changed, 60 insertions(+), 64 deletions(-)

diff --git a/modules.d/99base/selinux-loadpolicy.sh b/modules.d/99base/selinux-loadpolicy.sh
dissimilarity index 68%
index 7db9f8c..5792410 100755
--- a/modules.d/99base/selinux-loadpolicy.sh
+++ b/modules.d/99base/selinux-loadpolicy.sh
@@ -1,64 +1,60 @@
-#!/bin/sh
-# FIXME: load selinux policy.  this should really be done after we switchroot 
-
-rd_load_policy()
-{
-    # If SELinux is disabled exit now 
-    getarg "selinux=0" > /dev/null && return 0
-
-    SELINUX="enforcing"
-    [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"
-
-    # Check whether SELinux is in permissive mode
-    permissive=0
-    getarg "enforcing=0" > /dev/null 
-    if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then
-	permissive=1
-    fi
-
-    # Attempt to load SELinux Policy
-    if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then
-	ret=0
-	info "Loading SELinux policy"
-	{
-            # load_policy does mount /proc and /selinux in 
-            # libselinux,selinux_init_load_policy()
-            if [ -x "$NEWROOT/sbin/load_policy" ]; then
-		chroot "$NEWROOT" /sbin/load_policy -i
-		ret=$?
-            else
-		chroot "$NEWROOT" /usr/sbin/load_policy -i
-		ret=$?
-            fi
-	} 2>&1 | vinfo
-
-	if [ "$SELINUX" = "disabled" ]; then
-	    return 0;
-	fi
-
-	if [ $ret -eq 0 -o $ret -eq 2 ]; then
-	    # If machine requires a relabel, force to permissive mode
-	    [ -e "$NEWROOT"/.autorelabel ] && ( echo 0 > "$NEWROOT"/selinux/enforce )
-            mount --bind /dev "$NEWROOT/dev"
-            chroot "$NEWROOT" /sbin/restorecon -R /dev
-	    return 0
-	fi
-
-	warn "Initial SELinux policy load failed."
-	if [ $ret -eq 3 -o $permissive -eq 0 ]; then
-	    warn "Machine in enforcing mode."
-	    warn "Not continuing"
-	    sleep 100d
-	    exit 1
-	fi
-	return 0
-    elif [ $permissive -eq 0 -a "$SELINUX" != "disabled" ]; then
-	warn "Machine in enforcing mode and cannot execute load_policy."
-	warn "To disable selinux, add selinux=0 to the kernel command line."
-	warn "Not continuing"
-	sleep 100d
-	exit 1
-    fi
-}
-
-rd_load_policy
+#!/bin/sh
+# FIXME: load selinux policy.  this should really be done after we switchroot
+
+rd_load_policy()
+{
+    # If SELinux is disabled exit now
+    getarg "selinux=0" > /dev/null && return 0
+    # if we cannot find load_policy, just return.
+    [ -x "$NEWROOT/usr/sbin/load_policy" ] || \
+	[ -x "$NEWROOT/sbin/load_policy" ] || \
+	return 0
+
+    SELINUX="enforcing"
+    [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"
+
+    # Check whether SELinux is in permissive mode
+    permissive=0
+    getarg "enforcing=0" > /dev/null
+    if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then
+	permissive=1
+    fi
+
+    # Attempt to load SELinux Policy
+    ret=0
+    info "Loading SELinux policy"
+    {
+	    # load_policy does mount /proc and /selinux in
+	    # libselinux,selinux_init_load_policy()
+	if [ -x "$NEWROOT/sbin/load_policy" ]; then
+	    chroot "$NEWROOT" /sbin/load_policy -i
+	    ret=$?
+	else
+	    chroot "$NEWROOT" /usr/sbin/load_policy -i
+	    ret=$?
+	fi
+    } 2>&1 | vinfo
+
+    if [ "$SELINUX" = "disabled" ]; then
+	return 0;
+    fi
+
+    if [ $ret -eq 0 -o $ret -eq 2 ]; then
+	    # If machine requires a relabel, force to permissive mode
+	[ -e "$NEWROOT"/.autorelabel ] && ( echo 0 > "$NEWROOT"/selinux/enforce )
+	mount --bind /dev "$NEWROOT/dev"
+	chroot "$NEWROOT" /sbin/restorecon -R /dev
+	return 0
+    fi
+
+    warn "Initial SELinux policy load failed."
+    if [ $ret -eq 3 -o $permissive -eq 0 ]; then
+	warn "Machine in enforcing mode."
+	warn "Not continuing"
+	sleep 100d
+	exit 1
+    fi
+    return 0
+}
+
+rd_load_policy
-- 
1.7.1

Re: [PATCH 1/4] Just look for cryptroot instead of /sbin/cryptroot

[Harald Hoyer]

On 06/02/2010 02:07 PM, Victor Lowther wrote:
> We know what the path is and what it contains in the initrd, and
> not everyone puts cryptroot in /sbin
> ---
>   modules.d/90crypt/cryptroot-ask.sh |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
> index 13487c8..2f39667 100755
> --- a/modules.d/90crypt/cryptroot-ask.sh
> +++ b/modules.d/90crypt/cryptroot-ask.sh
> @@ -68,7 +68,7 @@ if [ $ask -gt 0 ]; then
>       # flock against other interactive activities
>       { flock -s 9;
>   	echo -n "$device ($luksname) is password protected"
> -	/sbin/cryptsetup luksOpen -T1 $1 $luksname
> +	cryptsetup luksOpen -T1 $1 $luksname
>       } 9>/.console.lock
>   fi
>

pushed

Re: [PATCH 2/4] Have cryptroot-ask load dm_crypt if needed.

[Harald Hoyer]

On 06/02/2010 02:07 PM, Victor Lowther wrote:
> ---
>   modules.d/90crypt/cryptroot-ask.sh |    3 +++
>   1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
> index 2f39667..430155a 100755
> --- a/modules.d/90crypt/cryptroot-ask.sh
> +++ b/modules.d/90crypt/cryptroot-ask.sh
> @@ -9,6 +9,9 @@
>   # we already asked for this device
>   [ -f /tmp/cryptroot-asked-$2 ]&&  exit 0
>
> +# load dm_crypt if it is not already loaded
> +[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
> +
>   . /lib/dracut-lib.sh
>
>   # default luksname - luks-UUID

pushed

Re: [PATCH 4/4] Arch handles loading modules from udev in a somewhat customized manner.

[Harald Hoyer]

On 06/02/2010 02:07 PM, Victor Lowther wrote:
> ---
>   modules.d/95udev-rules/install         |    1 +
>   modules.d/95udev-rules/load-modules.sh |    6 ++++++
>   2 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/modules.d/95udev-rules/install b/modules.d/95udev-rules/install
> index 23693fe..e89acb5 100755
> --- a/modules.d/95udev-rules/install
> +++ b/modules.d/95udev-rules/install
> @@ -46,6 +46,7 @@ pcmcia-check-broken-cis \
>       [ -e /lib/udev/$i ]&&  dracut_install /lib/udev/$i
>   done
>
> +[ -f /etc/arch-release ]&&  inst "$moddir/load-modules.sh" /lib/udev/load-modules.sh
>
>   if ldd $(find_binary udevd) |grep -q /lib64/; then
>       dracut_install /lib64/libnss_files*
> diff --git a/modules.d/95udev-rules/load-modules.sh b/modules.d/95udev-rules/load-modules.sh
> new file mode 100755
> index 0000000..b592964
> --- /dev/null
> +++ b/modules.d/95udev-rules/load-modules.sh
> @@ -0,0 +1,6 @@
> +#!/bin/sh
> +# Implement blacklisting for udev-loaded modules
> +
> +modprobe -b "$@"
> +
> +# vim: set et ts=4:

pushed

Re: [PATCH 3/4] Do not worry at all about selinux stuff if we cannot find load_policy

[Harald Hoyer]

On 06/02/2010 02:07 PM, Victor Lowther wrote:
> Forcing users to pass selinux=0 when operating on a system that does not and
> never has used selinux is really annoying.
...

hmm, I moved selinux to a separate module and will think of another mechanism