From: Kairui Song <kasong@redhat.com>
Date: Wed, 10 Jun 2020 07:57:20 +0000 (+0800)
Subject: dracut.sh: FIPS workaround for openssl-libs on Fedora/RHEL
X-Git-Tag: 051~149
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a4c3469338410b6aea9452994b4b0af1ba59be7;p=thirdparty%2Fdracut.git

dracut.sh: FIPS workaround for openssl-libs on Fedora/RHEL

On Fedora/RHEL, libcryto will verify both itself and libssl on start, if
libssl is missing, FIPS self test will fail. However libssl is not a
dependency of libcryto so dracut will not install it, unless some other
binary or library pulls it in. Systemd requires libssl, so in most cases
it just worked, but could fail in some corner cases where systemd is not
used.

Signed-off-by: Kairui Song <kasong@redhat.com>
---

diff --git a/dracut.sh b/dracut.sh
index 9ee722c94..e3195499d 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -1941,6 +1941,17 @@ if [[ $kernel_only != yes ]]; then
             break 2
         done
     done
+
+    # FIPS workaround for Fedora/RHEL: libcrypto needs libssl when FIPS is enabled
+    if [[ $DRACUT_FIPS_MODE ]]; then
+      for _dir in $libdirs; do
+          for _f in "$dracutsysrootdir$_dir/libcrypto.so"*; do
+              [[ -e "$_f" ]] || continue
+              inst_libdir_file -o "libssl.so*"
+              break 2
+          done
+      done
+    fi
 fi
 
 if [[ $do_strip = yes ]] && ! [[ $DRACUT_FIPS_MODE ]]; then