dmesg fails to run with musl libc because selinux denies to read /etc/ld-musl-x86_64.path # cat /etc/portage/make.profile/parent gentoo:hardened/linux/musl/amd64 gentoo:features/selinux # dmesg Error loading shared library libncursesw.so.6: Permission denied (needed by /bin/dmesg) Error relocating /bin/dmesg: setupterm: symbol not found Error relocating /bin/dmesg: tigetnum: symbol not found # grep denied /var/log/audit/audit.log|grep dmesg|grep -E 'musl|term' type=AVC msg=audit(1510470370.270:115923): avc: denied { read } for pid=30363 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=0 type=AVC msg=audit(1510470377.226:115927): avc: denied { read } for pid=30365 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1510470377.226:115927): avc: denied { open } for pid=30365 comm="dmesg" path="/etc/ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1510470377.234:115928): avc: denied { read } for pid=30365 comm="dmesg" name="xterm-256color" dev="mmcblk0p2" ino=16798245 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1510470377.234:115929): avc: denied { open } for pid=30365 comm="dmesg" path="/usr/share/terminfo/x/xterm-256color" dev="mmcblk0p2" ino=16798245 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1510470582.952:115980): avc: denied { read } for pid=30540 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=0 type=AVC msg=audit(1510470901.011:116048): avc: denied { read } for pid=30834 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1510470901.011:116048): avc: denied { open } for pid=30834 comm="dmesg" path="/etc/ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1510470901.015:116049): avc: denied { read } for pid=30834 comm="dmesg" name="xterm-256color" dev="mmcblk0p2" ino=16798245 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1510470901.015:116050): avc: denied { open } for pid=30834 comm="dmesg" path="/usr/share/terminfo/x/xterm-256color" dev="mmcblk0p2" ino=16798245 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1510470992.213:116081): avc: denied { read } for pid=31033 comm="dmesg" name="ld-musl-x86_64.path" dev="mmcblk0p2" ino=17480298 scontext=staff_u:sysadm_r:dmesg_t:s0 tcontext=staff_u:object_r:etc_t:s0 tclass=file permissive=0 # grep denied /var/log/audit/audit.log|grep dmesg|grep -E 'term|musl'|audit2allow #============= dmesg_t ============== allow dmesg_t etc_t:file { open read }; allow dmesg_t usr_t:file { open read }; IMHO, grant dmesg to read etc_t is too permissive. May be /etc/ld-musl-x86_64.path need special context and rule(s) ?
[I] sys-apps/util-linux Installed versions: 2.30.2(16:41:30 11/11/17)(caps cramfs ncurses pam readline selinux suid udev unicode -build -fdformat -kill -nls -python -slang -static-libs -systemd -test -tty-helpers ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" PYTHON_SINGLE_TARGET="python3_4 -python2_7 -python3_5 -python3_6" PYTHON_TARGETS="python2_7 python3_4 -python3_5 -python3_6") Homepage: https://www.kernel.org/pub/linux/utils/util-linux/ Description: Various useful Linux utilities
# cat /etc/ld-musl-x86_64.path /usr/lib/gcc/x86_64-gentoo-linux-musl/5.4.0 /lib /usr/lib /usr/local/lib As I understand ld-musl-x86_64.path used to search library path. I changed context of the file to lib_t and it works for now. # ls -lZ /etc/ld-musl-x86_64.path -rw-r--r--. 1 root root system_u:object_r:lib_t:s0 73 Nov 3 22:20 /etc/ld-musl-x86_64.path Mat be you propose correct way?
(In reply to Alexander Miroshnichenko from comment #2) > As I understand ld-musl-x86_64.path used to search library path. > I changed context of the file to lib_t and it works for now. You found the right file to relabel; ld_so_cache_t would be a more fitting domain, though. I'll submit a fix to refpolicy; it should land in the gentoo policy soon. Thanks for the report!
I can see the fix in upstream and gentoo selinux policy. Thank you.