import grub2-2.02-158.el8_10

57c5e00f · Rocky Automation · 2040d1b7 · 57c5e00f · 57c5e00f · 57c5e00f
Commit 57c5e00f authored 5 months ago by Rocky Automation
--- a/.grub2.checksum
+++ b/.grub2.checksum
-3db8b43cf3de02cfb5fd1367f2f19d27b266b35ba8066711586892d94c3eb46a
+Direct Git Import
--- a/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
+++ b/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Leo Sandoval <lsandova@redhat.com>
+Date: Thu, 19 Sep 2024 10:15:13 -0600
+Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
+
+Stricker permissions are required on the grub.cfg file, resulting in
+at most 0600 owner's file permissions. This resolves conflicting
+requirement permissions on grub2-pc package's grub2.cfg file.
+
+Signed-off-by: Leo Sandoval <lsandova@redhat.com>
+---
+ util/grub-mkconfig.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index a1c00776d..573004915 100644
+--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
+@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
+-    oldumask=$(umask); umask 077
+    oldumask=$(umask); umask 177
+     cat ${grub_cfg}.new > ${grub_cfg}
+     umask $oldumask
+     rm -f ${grub_cfg}.new
--- a/SOURCES/20-grub.install
+++ b/SOURCES/20-grub.install
@@ -90,13 +90,10 @@ case "$COMMAND" in
            [[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
            BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
            BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf"
-            if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then
-                cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $?
-            else
-                mkbls "${KERNEL_VERSION}" \
-                    "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
-                    >"${BLS_TARGET}"
-            fi
+            mkbls "${KERNEL_VERSION}" \
+                "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
+                >"${BLS_TARGET}"
+            command -v restorecon &>/dev/null && restorecon -R "${BLS_TARGET}"

            LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')"
            INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')"

--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -587,14 +587,15 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig	\
 touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub		\
 ln -sf ../default/grub						\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub		\
-touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
+touch grub.cfg							\
+install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/	\
 %{nil}

 %define define_legacy_variant_files()				\
 %{expand:%%files %{1}}						\
 %defattr(-,root,root,-)						\
 %config(noreplace) %{_sysconfdir}/%{name}.cfg			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg	\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %ifarch ppc64le						\
 %dir %{_libdir}/grub/%{2}/					\

--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -588,3 +588,4 @@ Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
 Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
 Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
 Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch
+Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
\ No newline at end of file
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
 Name:                 grub2
 Epoch:                1
 Version:              2.02
-Release:              156%{?dist}.rocky.0.1
+Release:              158%{?dist}.rocky.0.1
 Summary:              Bootloader with support for Linux, Multiboot and more
 Group:                System Environment/Base
 License:              GPLv3+
@@ -312,6 +312,19 @@ if [ "$1" = 2 ]; then
 	/sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || :
 fi

+%posttrans common
+set -eu
+
+GRUB_HOME=/boot/%{name}
+
+if test  -f ${GRUB_HOME}/grub.cfg; then
+    # make sure GRUB_HOME/grub.cfg has 600 permissions
+    GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
+    if ! test "${GRUB_CFG_MODE}" = "600"; then
+        chmod 0600 ${GRUB_HOME}/grub.cfg
+    fi
+fi
+
 %triggerun -- grub2 < 1:1.99-4
 # grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades
 # from the affected grub2 packages, we first back up the files in triggerun and
@@ -512,7 +525,7 @@ fi
 %endif

 %changelog
-* Wed May 22 2024 Release Engineering <releng@rockylinux.org> - 2.02-156.rocky.0.1
+* Tue Nov 05 2024 Release Engineering <releng@rockylinux.org> - 2.02-158.rocky.0.1
 - Removing redhat old cert sources entries (Sherif Nagy)
 - Preserving rhel8 sbat entry based on shim-review feedback ticket no. 194
 - Porting to 8.10
@@ -520,6 +533,14 @@ fi
 - Cleaning up grup.macro extra signing certs
 - Use rocky-sb-certs for secure boot signing

+* Thu Sep 19 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-158
+- grub-mkconfig.in: turn off executable owner bit
+- Resolves: #RHEL-58835
+
+* Wed Aug 14 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-157
+- 20-grub-install: fix SELinux security type context for BLS
+- Resolves: #RHEL-4395
+
 * Tue Feb 20 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-156
 - fs/ntfs: OOB write fix
 - (CVE-2023-4692)