Actions
action #54119
closed[sle][security][sle15sp1] test fails in evm_protection_digital_signatures - setxattr failed: /usr/lib64/libopeniscsiusr.so with errer "Operation not permitted"
Start date:
2019-07-11
Due date:
% Done:
0%
Estimated time:
Difficulty:
Description
This issue happened when make whole system evm signing using digital signature.
One step is:
# for D in /lib /lib64 /usr/lib /usr/lib64; do /usr/bin/find "$D" -fstype ext4 -\! -executable -type f -name '*.so*' -uid 0 -exec evmctl sign -psuse -k /root/certs/key.asc '{}' \; -exec chattr +i '{}' \; ; done
setxattr failed: /usr/lib64/libopeniscsiusr.so
errno: Operation not permitted (1)
setxattr failed: /usr/lib64/libopeniscsiusr.so.0.2.0
errno: Operation not permitted (1)
It is probably a bug, or an acceptable results. More investigation will be performed to decide if we should create a bug report.
UPDATE: It is turn out find problem, it execute the command followed by -exec twice. The reason is unclear and need further investigation. The current workaround is to add one step "-exec chattr -i '{}'" before "-exec evmctl sign ...".
UPDATE: Other filed affected by this issue:
setxattr failed: /lib/firmware/qca/rampatch_usb_00000200.bin
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/qca/nvm_usb_00000201.bin
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/ath10k/QCA9888/hw2.0/notice_ath10k_firmware-5.txt
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/ath10k/QCA9377/hw1.0/notice_ath10k_firmware-6.txt
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/ath10k/QCA9887/hw1.0/notice_ath10k_firmware-5.txt
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/ath10k/QCA9984/hw1.0/notice_ath10k_firmware-5.txt
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-18-16-1.ddc
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-2.ddc
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-16-1.sfi
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-2.sfi
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-0-1.sfi
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-17-1.sfi
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-18-0-1.ddc
errno: Operation not permitted (1)
setxattr failed: /lib/firmware/intel/ibt-18-16-1.sfi
...
UPDATE: After discussion with developer, we found it is turn out the hard link problem:
$ cd /lib/firmware
$ find -samefile /lib/firmware/intel/ibt-18-0-1.ddc
./intel/ibt-17-2.ddc
./intel/ibt-17-16-1.ddc
./intel/ibt-18-1.ddc
./intel/ibt-17-0-1.ddc
./intel/ibt-18-2.ddc
./intel/ibt-17-1.ddc
./intel/ibt-18-16-1.ddc
./intel/ibt-18-0-1.ddc
So I think the work around we are using is acceptable.
Updated by whdu almost 5 years ago
- Subject changed from test fails in evm_protection_digital_signatures - setxattr failed: /usr/lib64/libopeniscsiusr.so with errer "Operation not permitted" to [sle][security][sle15sp1] test fails in evm_protection_digital_signatures - setxattr failed: /usr/lib64/libopeniscsiusr.so with errer "Operation not permitted"
Updated by whdu almost 5 years ago
- Description updated (diff)
- Status changed from New to In Progress
Updated by whdu almost 5 years ago
- Description updated (diff)
- Status changed from In Progress to Resolved
Actions