action #54119

[sle][security][sle15sp1] test fails in evm_protection_digital_signatures - setxattr failed: /usr/lib64/libopeniscsiusr.so with errer "Operation not permitted"

Added by whdu 8 months ago. Updated 7 months ago.

Status:ResolvedStart date:11/07/2019
Priority:NormalDue date:
Assignee:whdu% Done:

0%

Category:Bugs in existing tests
Target version:-
Difficulty:
Duration:

Description

This issue happened when make whole system evm signing using digital signature.

One step is:

# for D in /lib /lib64 /usr/lib /usr/lib64; do /usr/bin/find "$D" -fstype ext4 -\! -executable -type f -name '*.so*' -uid 0 -exec evmctl sign -psuse -k /root/certs/key.asc '{}' \; -exec chattr +i '{}' \; ; done
setxattr failed: /usr/lib64/libopeniscsiusr.so
errno: Operation not permitted (1)
setxattr failed: /usr/lib64/libopeniscsiusr.so.0.2.0
errno: Operation not permitted (1)

It is probably a bug, or an acceptable results. More investigation will be performed to decide if we should create a bug report.

UPDATE: It is turn out find problem, it execute the command followed by -exec twice. The reason is unclear and need further investigation. The current workaround is to add one step "-exec chattr -i '{}'" before "-exec evmctl sign ...".

UPDATE: Other filed affected by this issue:

setxattr failed: /lib/firmware/qca/rampatch_usb_00000200.bin
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/qca/nvm_usb_00000201.bin
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/ath10k/QCA9888/hw2.0/notice_ath10k_firmware-5.txt
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/ath10k/QCA9377/hw1.0/notice_ath10k_firmware-6.txt
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/ath10k/QCA9887/hw1.0/notice_ath10k_firmware-5.txt
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/ath10k/QCA9984/hw1.0/notice_ath10k_firmware-5.txt
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-18-16-1.ddc
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-2.ddc
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-16-1.sfi
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-2.sfi
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-0-1.sfi
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-1.sfi
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-18-0-1.ddc
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-18-16-1.sfi
...

UPDATE: After discussion with developer, we found it is turn out the hard link problem:

$ cd /lib/firmware
$ find -samefile /lib/firmware/intel/ibt-18-0-1.ddc
./intel/ibt-17-2.ddc
./intel/ibt-17-16-1.ddc
./intel/ibt-18-1.ddc
./intel/ibt-17-0-1.ddc
./intel/ibt-18-2.ddc
./intel/ibt-17-1.ddc
./intel/ibt-18-16-1.ddc
./intel/ibt-18-0-1.ddc

So I think the work around we are using is acceptable.

History

#1 Updated by whdu 8 months ago

  • Subject changed from test fails in evm_protection_digital_signatures - setxattr failed: /usr/lib64/libopeniscsiusr.so with errer "Operation not permitted" to [sle][security][sle15sp1] test fails in evm_protection_digital_signatures - setxattr failed: /usr/lib64/libopeniscsiusr.so with errer "Operation not permitted"

#2 Updated by whdu 7 months ago

  • Description updated (diff)
  • Status changed from New to In Progress

#3 Updated by whdu 7 months ago

  • Description updated (diff)

#4 Updated by whdu 7 months ago

  • Description updated (diff)
  • Status changed from In Progress to Resolved

#5 Updated by whdu 7 months ago

  • Description updated (diff)

Also available in: Atom PDF