dracut.sh: FIPS workaround for openssl-libs on Fedora/RHEL

On Fedora/RHEL, libcryto will verify both itself and libssl on start, if
libssl is missing, FIPS self test will fail. However libssl is not a
dependency of libcryto so dracut will not install it, unless some other
binary or library pulls it in. Systemd requires libssl, so in most cases
it just worked, but could fail in some corner cases where systemd is not
used.

Signed-off-by: Kairui Song <kasong@redhat.com>

diff --git a/dracut.sh b/dracut.sh
index 9ee722c940fc2161b4ba617607d865d7757bf30a..e3195499da58d461858dedbd0cc9de479378ea0f 100755 (executable)
--- a/dracut.sh
+++ b/dracut.sh
@@ -1941,6 +1941,17 @@ if [[ $kernel_only != yes ]]; then
             break 2
         done
     done
+
+    # FIPS workaround for Fedora/RHEL: libcrypto needs libssl when FIPS is enabled
+    if [[ $DRACUT_FIPS_MODE ]]; then
+      for _dir in $libdirs; do
+          for _f in "$dracutsysrootdir$_dir/libcrypto.so"*; do
+              [[ -e "$_f" ]] || continue
+              inst_libdir_file -o "libssl.so*"
+              break 2
+          done
+      done
+    fi
 fi
 
 if [[ $do_strip = yes ]] && ! [[ $DRACUT_FIPS_MODE ]]; then