8.32. dracut
Updated dracut packages that fix one security issue, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE link(s) associated with each description below.
The dracut packages include an event-driven initramfs generator infrastructure based on the udev device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition.
Security Fix
- CVE-2012-4453
- It was discovered that dracut created initramfs images as world readable. A local user could possibly use this flaw to obtain sensitive information from these files, such as iSCSI authentication passwords, encrypted root file system crypttab passwords, or other information.
This issue was discovered by Peter Jones of the Red Hat Installer Team.
Bug Fixes
- BZ#610462
- Previously, the mkinitrd utility had no manual page accessible by users. This update adds the mkinitrd(8) manual page.
- BZ#720684
- Previously, the dracut utility did not call the "lvchange" command with the "--yes" option. Consequently, specification of the original logical volume name (rd_LVM_LV) was required when booting an LVM snapshot. With this update, dracut calls "lvchange" with the "--yes" option and booting LVM snapshots is now more intuitive.
- BZ#857048
- Prior to this update, the dracut utility copied symbolic links from the system to initramfs without following every redirection. As a consequence, initramfs could contain stale symbolic links, causing the system to boot incorrectly. This bug has been fixed; dracut now correctly copies symbolic link redirections, initramfs contains the same layout as the real system, and boot problems no longer occur in this scenario.
- BZ#886194
- The dracut utility did not take into account all parameters of the /etc/crypttab file when setting up crypto devices. Consequently, options and file names in /etc/crypttab had no effect in initramfs. With this update, dracut passes options and file names to the cryptsetup tool when setting up crypto devices, and options and files in /etc/cryppttab are now applied correctly.
- BZ#910605
- Previously, the dracut utility needed a network configuration on the kernel command line to boot with Internet Small Computer System Interface (iSCSI). Consequently, in cases where no network configuration was needed, it was not possible to boot with iSCSI. Now, dracut starts the iSCSI service regardless of the network configuration parameters on the kernel command line, and the problem described no longer occurs.
- BZ#912299
- Previously, the dracut utility used the grep tool without unsetting the "GREP_OPTIONS" environment variable. As a consequence, grep did not work correctly because of arbitrary options if the user had set GREP_OPTIONS while calling yum or running dracut. With this update, dracut now unsets GREP_OPTIONS and user settings of this variable no longer affect the correct operation of dracut.
- BZ#916144
- Prior to this update, the multipath configuration file was always included in the initramfs, even if the root device was not a multipath device. Consequently, the administrator had to update initramfs before rebooting when changing the multipath configuration. The dracut utility has been fixed to include the multipath configuration only if the root device is a multipath device. Additionally, the administrator can split the configuration for the root device which is used in initramfs. Currently, dracut recognizes:
- /etc/multipath-root.conf
- /etc/multipath-root/*
- /etc/xdrdevices-root.conf
These files will be used in initramfs as follows:- /etc/multipath.conf
- /etc/multipath/*
- /etc/xdrdevices.conf
The administrator can make sure that only the specific multipath configuration for the root device is included in initramfs if he does not want the whole configuration to be copied. - BZ#947729
- Previously, when using the Red Hat Enterprise Virtualization Hypervisor packaging of the kernel on a live image, the path to the kernel which needed to be verified during the initial boot did not work correctly. Consequently, the checksum test of the kernel in Federal Information Processing Standard (FIPS) mode failed, and the system did not boot. With this update, the dracut-fips module also looks for the kernel image in different paths and checks those paths with the checksum file in initramfs. As a result, booting an installation in FIPS mode now checks the correct kernel image and if the checksum is correct, the system continues to boot in FIPS mode.
- BZ#960729
- The dracut utility did not include the xhci-hcd kernel module in the initramfs image. Consequently, the kernel did not recognize USB 3.0 devices in an early boot stage and the root files ystem could not be mounted from a USB 3.0 disk. With this update, dracut now includes the xhci-hcd driver in initramfs, and the system is able to boot from USB 3.0 disks.
- BZ#1011508
- Previously, if the "biosdevname=1" parameter had not been specified on the kernel command line, the dracut utility disabled biosdevname network interface renaming on all machines. Consequently, on Dell machines, interfaces used in initramfs did not have automatic biosdevname names, even though biosdevname interface renaming was active later in the boot process. With this update, dracut only disables biosdevname if the parameter is set to "0". For non-Dell machines, biosdevname now renames interfaces only if "biosdevname=1" is specified on the kernel command line, and Dell machines have biosdevname named interfaces in initramfs.
- BZ#1012316
- Previously, the time necessary to activate Fibre Channel over Ethernet (FcoE) on a 10GBaseT Twin Pond adapter was too long. As a consequence, the fipvlan utility called by dracut timed out in the process of waiting for the link to come up, and the boot failed. With this update, fipvlan is called with a parameter to wait 30 seconds for the link to come up, and the problem no longer occurs.
- BZ#1018377
- Previously, when the dracut utility was running the ldd tool, ldd forwarded its output to the cat utility to use the SELinux permissions of cat to display the output. Consequently, if the ldd forwarded the output to cat, and cat forwarded the output further, and the pipe reader exited early, cat received an "EPIPE" signal and reported it to the standard error output. With this update, dracut redirects standard error of ldd calls to the /dev/null file, and the error message of cat is now hidden in this scenario.
Enhancements
- BZ#851666
- The dracut utility now supports bonding of network interfaces in initramfs. Bonding parameters can be specified on the kernel command line in the following format:
bond=<bondname>[:<bondslaves>:[:<options>]]
This sets up the <bondname> bonding device on top of <bondslaves>. For more information, run the "modinfo bonding" command. - BZ#1012626
- The National Institute of Standards and Technology (NIST) now requires the FIPS module to be defined as a cryptosystem. Therefore, this update adds the /etc/system-fips file marker when the dracut-fips rpm package is installed. It provides a stable file location for FIPS product determination to be used by libraries and applications.
All dracut users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
Updated dracut packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The dracut packages include an event-driven initramfs generator infrastructure based on the udev device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition.
Bug Fixes
- BZ#1029844
- In FIPS mode, the self checking of binaries is only done if the /etc/system-fips file is present. Prior to this update, the dracut utility did not copy the /etc/system-fips file and some checksum files in the initial ram file system (initramfs). As a consequence, the self check of the tools needed to decrypt a partition was not done and the tools terminated unexpectedly. This bug has been fixed, dracut now copies all the needed files in the initramfs, and systems with encrypted disks can now boot successfully in FIPS mode.
- BZ#1029846
- When booting in FIPS mode on live ISO images, dracut searched for the checksum file of the kernel image in the wrong place. Consequently, the booting process failed. With this update, the path to the checksum file has been corrected, and live ISO images can now boot in FIPS mode as expected.
Users of dracut are advised to upgrade to these updated packages, which fix these bugs.