action #54119
[sle][security][sle15sp1] test fails in evm_protection_digital_signatures - setxattr failed: /usr/lib64/libopeniscsiusr.so with errer "Operation not permitted"
Start date:
2019-07-11
Due date:
% Done:
0%
Estimated time:
Difficulty:
Description
This issue happened when make whole system evm signing using digital signature.
One step is:
# for D in /lib /lib64 /usr/lib /usr/lib64; do /usr/bin/find "$D" -fstype ext4 -\! -executable -type f -name '*.so*' -uid 0 -exec evmctl sign -psuse -k /root/certs/key.asc '{}' \; -exec chattr +i '{}' \; ; done
setxattr failed: /usr/lib64/libopeniscsiusr.so
errno: Operation not permitted (1)
setxattr failed: /usr/lib64/libopeniscsiusr.so.0.2.0
errno: Operation not permitted (1)
It is probably a bug, or an acceptable results. More investigation will be performed to decide if we should create a bug report.
UPDATE: It is turn out find problem, it execute the command followed by -exec twice. The reason is unclear and need further investigation. The current workaround is to add one step "-exec chattr -i '{}'" before "-exec evmctl sign ...".
UPDATE: Other filed affected by this issue:
setxattr failed: /lib/firmware/qca/rampatch_usb_00000200.bin errno: Operation not permitted (1) setxattr failed: /lib/firmware/qca/nvm_usb_00000201.bin errno: Operation not permitted (1) setxattr failed: /lib/firmware/ath10k/QCA9888/hw2.0/notice_ath10k_firmware-5.txt errno: Operation not permitted (1) setxattr failed: /lib/firmware/ath10k/QCA9377/hw1.0/notice_ath10k_firmware-6.txt errno: Operation not permitted (1) setxattr failed: /lib/firmware/ath10k/QCA9887/hw1.0/notice_ath10k_firmware-5.txt errno: Operation not permitted (1) setxattr failed: /lib/firmware/ath10k/QCA9984/hw1.0/notice_ath10k_firmware-5.txt errno: Operation not permitted (1) setxattr failed: /lib/firmware/intel/ibt-18-16-1.ddc errno: Operation not permitted (1) setxattr failed: /lib/firmware/intel/ibt-17-2.ddc errno: Operation not permitted (1) setxattr failed: /lib/firmware/intel/ibt-17-16-1.sfi errno: Operation not permitted (1) setxattr failed: /lib/firmware/intel/ibt-17-2.sfi errno: Operation not permitted (1) setxattr failed: /lib/firmware/intel/ibt-17-0-1.sfi errno: Operation not permitted (1) setxattr failed: /lib/firmware/intel/ibt-17-1.sfi errno: Operation not permitted (1) setxattr failed: /lib/firmware/intel/ibt-18-0-1.ddc errno: Operation not permitted (1) setxattr failed: /lib/firmware/intel/ibt-18-16-1.sfi ...
UPDATE: After discussion with developer, we found it is turn out the hard link problem:
$ cd /lib/firmware $ find -samefile /lib/firmware/intel/ibt-18-0-1.ddc ./intel/ibt-17-2.ddc ./intel/ibt-17-16-1.ddc ./intel/ibt-18-1.ddc ./intel/ibt-17-0-1.ddc ./intel/ibt-18-2.ddc ./intel/ibt-17-1.ddc ./intel/ibt-18-16-1.ddc ./intel/ibt-18-0-1.ddc
So I think the work around we are using is acceptable.
History
#1
Updated by whdu over 3 years ago
Updated by - Subject changed from test fails in evm_protection_digital_signatures - setxattr failed: /usr/lib64/libopeniscsiusr.so with errer "Operation not permitted" to [sle][security][sle15sp1] test fails in evm_protection_digital_signatures - setxattr failed: /usr/lib64/libopeniscsiusr.so with errer "Operation not permitted"
#2
Updated by whdu over 3 years ago
- Description updated (diff)
- Status changed from New to In Progress
#3
Updated by whdu over 3 years ago
- Description updated (diff)
#4
Updated by whdu over 3 years ago
- Description updated (diff)
- Status changed from In Progress to Resolved
#5
Updated by whdu over 3 years ago
- Description updated (diff)