Package: dracut-install Version: 106-5 Severity: normal I used a system running SE Linux to upgrade a removable device in a chroot environment that is configured without SE Linux. This is one of many uses of containers etc on SE Linux that are not uncommon. When it built the initrd as part of configuring the kernel package saw the following output:
cp: setting attribute 'security.selinux' for 'security.selinux': Permission denied dracut-install: ERROR: 'cp --reflink=auto --sparse=auto --preserve=mode,xattr,timestamps,ownership -fL /lib/modules/6.12.20-amd64/kernel/drivers/infiniband/core/ib_uverbs.ko.xz /var/tmp/mkinitramfs_T4zuE4/lib/modules/6.12.20-amd64/kernel/drivers/infiniband/core/ib_uverbs.ko.xz' failed with 1 dracut-install: dracut_install '/lib/modules/6.12.20-amd64/kernel/drivers/infiniband/core/ib_uverbs.ko.xz' '/lib/modules/6.12.20-amd64/kernel/drivers/infiniband/core/ib_uverbs.ko.xz' ERROR cp: setting attribute 'security.selinux' for 'security.selinux': Permission denied dracut-install: ERROR: 'cp --reflink=auto --sparse=auto --preserve=mode,xattr,timestamps,ownership -fL /lib/modules/6.12.20-amd64/kernel/drivers/infiniband/hw/mlx4/mlx4_ib.ko.xz /var/tmp/mkinitramfs_T4zuE4/lib/modules/6.12.20-amd64/kernel/drivers/infiniband/hw/mlx4/mlx4_ib.ko.xz' failed with 1 /etc/kernel/postinst.d/zz-update-grub: Generating grub configuration file ... Found linux image: /boot/vmlinuz-6.12.20-amd64 Found initrd image: /boot/initrd.img-6.12.20-amd64 Found linux image: /boot/vmlinuz-6.1.0-32-amd64 Found initrd image: /boot/initrd.img-6.1.0-32-amd64 Found memtest86+ 64bit EFI image: /boot/memtest86+x64.efi Found memtest86+ 32bit EFI image: /boot/memtest86+ia32.efi Found memtest86+ 64bit image: /boot/memtest86+x64.bin Found memtest86+ 32bit image: /boot/memtest86+ia32.bin Adding boot menu entry for UEFI Firmware Settings ... done root@xev:/# echo $? 0 So that was regarded as successful and the errors were ignored. Here's an example of similar operations: root@xev:/# cp --reflink=auto --sparse=auto --preserve=mode,xattr,timestamps,ownership -fL /root/.bashrc /var/tmp cp: setting attribute 'security.selinux' for 'security.selinux': Permission denied root@xev:/# echo $? 1 root@xev:/# cp --reflink=auto --sparse=auto --preserve=mode,timestamps,ownership -fL /root/.bashrc /var/tmp root@xev:/# echo $? 0 So the operation that causes the error was causing cp to return 1 - which is apparently not treated as a noteworthy error! Is there any case where preserving xattrs in an initramfs image is useful? For the case of SE Linux the initramfs is discarded before SE Linux is activated. Having cp errors ignored is a bad idea as this could potentially result in igoring something that makes the system fail to boot. I think that xattrs should not be preserved in cp operations for this and that cp errors should result in the process aborting. -- System Information: Debian Release: trixie/sid Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.20-amd64 (SMP w/18 CPU threads; PREEMPT) Kernel taint flags: TAINT_CPU_OUT_OF_SPEC Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages dracut-install depends on: ii libc6 2.41-6 ii libkmod2 34.1-2 dracut-install recommends no packages. dracut-install suggests no packages. -- debconf-show failed
