Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637204 - SELinux prevents /bin/dmesg to runing with musl libc
Summary: SELinux prevents /bin/dmesg to runing with musl libc
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-12 07:38 UTC by Alexander Miroshnichenko
Modified: 2018-02-09 07:58 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Miroshnichenko 2017-11-12 07:38:08 UTC 
dmesg fails to run with musl libc because selinux denies to read /etc/ld-musl-x86_64.path

# cat /etc/portage/make.profile/parent
gentoo:hardened/linux/musl/amd64
gentoo:features/selinux

# dmesg
Error loading shared library libncursesw.so.6: Permission denied (needed by /bin/dmesg)
Error relocating /bin/dmesg: setupterm: symbol not found
Error relocating /bin/dmesg: tigetnum: symbol not found

# grep denied /var/log/audit/audit.log|grep dmesg|grep -E 'musl|term'
type=AVC msg=audit(1510470370.270:115923): avc:  denied  { read } for  pid=30363 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1510470377.226:115927): avc:  denied  { read } for  pid=30365 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1510470377.226:115927): avc:  denied  { open } for  pid=30365 comm="dmesg" path="/etc/ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1510470377.234:115928): avc:  denied  { read } for  pid=30365 comm="dmesg" name="xterm-256color" dev="mmcblk0p2" ino=16798245 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1510470377.234:115929): avc:  denied  { open } for  pid=30365 comm="dmesg" path="/usr/share/terminfo/x/xterm-256color" dev="mmcblk0p2" ino=16798245 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1510470582.952:115980): avc:  denied  { read } for  pid=30540 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1510470901.011:116048): avc:  denied  { read } for  pid=30834 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1510470901.011:116048): avc:  denied  { open } for  pid=30834 comm="dmesg" path="/etc/ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1510470901.015:116049): avc:  denied  { read } for  pid=30834 comm="dmesg" name="xterm-256color" dev="mmcblk0p2" ino=16798245 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1510470901.015:116050): avc:  denied  { open } for  pid=30834 comm="dmesg" path="/usr/share/terminfo/x/xterm-256color" dev="mmcblk0p2" ino=16798245 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1510470992.213:116081): avc:  denied  { read } for  pid=31033 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=0


# grep denied /var/log/audit/audit.log|grep dmesg|grep -E 'term|musl'|audit2allow


#============= dmesg_t ==============
allow dmesg_t etc_t:file { open read };
allow dmesg_t usr_t:file { open read };



IMHO, grant dmesg to read etc_t is too permissive. May be /etc/ld-musl-x86_64.path need special context and rule(s) ?
Comment 1 Alexander Miroshnichenko 2017-11-12 07:38:55 UTC 
[I] sys-apps/util-linux
     Installed versions:  2.30.2(16:41:30 11/11/17)(caps cramfs ncurses pam readline selinux suid udev unicode -build -fdformat -kill -nls -python -slang -static-libs -systemd -test -tty-helpers ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" PYTHON_SINGLE_TARGET="python3_4 -python2_7 -python3_5 -python3_6" PYTHON_TARGETS="python2_7 python3_4 -python3_5 -python3_6")
     Homepage:            https://www.kernel.org/pub/linux/utils/util-linux/
     Description:         Various useful Linux utilities
Comment 2 Alexander Miroshnichenko 2017-11-12 07:48:49 UTC 
# cat /etc/ld-musl-x86_64.path
/usr/lib/gcc/x86_64-gentoo-linux-musl/5.4.0
/lib
/usr/lib
/usr/local/lib

As I understand ld-musl-x86_64.path used to search library path.
I changed context of the file to lib_t and it works for now.

# ls -lZ /etc/ld-musl-x86_64.path
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0 73 Nov  3 22:20 /etc/ld-musl-x86_64.path

Mat be you propose correct way?
Comment 3 Mira Ressel 2017-11-13 21:16:15 UTC 
(In reply to Alexander Miroshnichenko from comment #2)

> As I understand ld-musl-x86_64.path used to search library path.
> I changed context of the file to lib_t and it works for now.

You found the right file to relabel; ld_so_cache_t would be a more fitting domain, though.

I'll submit a fix to refpolicy; it should land in the gentoo policy soon. Thanks for the report!
Comment 4 Alexander Miroshnichenko 2018-02-09 07:58:12 UTC 
I can see the fix in upstream and gentoo selinux policy.
Thank you.