696818 – sys-libs/musl-1.1.23 /etc/ld-musl-x86_64.path ldconfig_tmp_t avc errors

Bug 696818 - sys-libs/musl-1.1.23 /etc/ld-musl-x86_64.path ldconfig_tmp_t avc errors

Summary: sys-libs/musl-1.1.23 /etc/ld-musl-x86_64.path ldconfig_tmp_t avc errors

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-10-06 02:42 UTC by lupus
Modified:	2022-08-20 00:16 UTC (History)
CC List:	6 users (show)

See Also:	663990 833018 768552
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description lupus 2019-10-06 02:42:27 UTC

I installed musl/hardened from the stage3 tarball. From there I switched to the musl/hardened/selinux profile and updated @world and followed various SELinux guides.
I am intending to run my system on a strict policy.
Right now it is still in a permissive state, as I'm trying to squash all the errors.
Upon booting my system, I get a huge amount of AVC errors. Most of them relating to /etc/ld-musl-x86_64.path, so i will post them here:
type=AVC msg=audit(1570326927.632:217): avc:  denied  { read } for  pid=20535 comm="init" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:shutdown_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326927.632:217): avc:  denied  { open } for  pid=20535 comm="init" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:shutdown_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.635:218): avc:  denied  { read } for  pid=20539 comm="telinit" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:init_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.635:218): avc:  denied  { open } for  pid=20539 comm="telinit" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:init_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.661:219): avc:  denied  { read } for  pid=20542 comm="local" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:initrc_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.661:219): avc:  denied  { open } for  pid=20542 comm="local" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:initrc_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.676:220): avc:  denied  { read } for  pid=20565 comm="cgroup-release-" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.676:220): avc:  denied  { open } for  pid=20565 comm="cgroup-release-" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.009:222): avc:  denied  { read } for  pid=20722 comm="umount" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:mount_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.009:222): avc:  denied  { open } for  pid=20722 comm="umount" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:mount_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.697:227): avc:  denied  { read } for  pid=21027 comm="swapoff" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:fsadm_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.697:227): avc:  denied  { open } for  pid=21027 comm="swapoff" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:fsadm_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.928:228): avc:  denied  { read } for  pid=21212 comm="udevadm" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:udev_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.928:228): avc:  denied  { open } for  pid=21212 comm="udevadm" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:udev_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326930.565:229): avc:  denied  { read } for  pid=21435 comm="auditctl" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:auditctl_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326930.565:229): avc:  denied  { open } for  pid=21435 comm="auditctl" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:auditctl_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326965.562:63): avc:  denied  { read } for  pid=4129 comm="audispd" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:audisp_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326965.562:64): avc:  denied  { open } for  pid=4129 comm="audispd" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:audisp_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326965.565:65): avc:  denied  { read } for  pid=4133 comm="auditctl" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:auditctl_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326965.565:65): avc:  denied  { open } for  pid=4133 comm="auditctl" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:auditctl_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326966.130:69): avc:  denied  { read } for  pid=4302 comm="modprobe" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:kmod_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326966.130:69): avc:  denied  { open } for  pid=4302 comm="modprobe" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:kmod_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326966.143:71): avc:  denied  { read } for  pid=4309 comm="dhcpcd-run-hook" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:dhcpc_script_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326966.143:71): avc:  denied  { open } for  pid=4309 comm="dhcpcd-run-hook" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:dhcpc_script_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326975.188:75): avc:  denied  { read } for  pid=4423 comm="mount" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:mount_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326975.188:75): avc:  denied  { open } for  pid=4423 comm="mount" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:mount_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326987.277:79): avc:  denied  { read } for  pid=4475 comm="unix_chkpwd" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:chkpwd_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326987.277:79): avc:  denied  { open } for  pid=4475 comm="unix_chkpwd" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:chkpwd_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326991.374:87): avc:  denied  { read } for  pid=4480 comm="sudo" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326991.374:87): avc:  denied  { open } for  pid=4480 comm="sudo" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326991.389:89): avc:  denied  { read } for  pid=4481 comm="unix_chkpwd" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:chkpwd_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326991.389:89): avc:  denied  { open } for  pid=4481 comm="unix_chkpwd" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:chkpwd_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326992.129:94): avc:  denied  { read } for  pid=4484 comm="su" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:sysadm_su_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326992.129:94): avc:  denied  { open } for  pid=4484 comm="su" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:sysadm_su_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570327275.102:100): avc:  denied  { read } for  pid=4490 comm="dhcpcd-run-hook" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:dhcpc_script_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570327275.102:100): avc:  denied  { open } for  pid=4490 comm="dhcpcd-run-hook" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:dhcpc_script_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1

I tried to switch accept ~amd64 on selinux-base and selinux-base-policy, but it had had no effect.

Comment 1 Larry the Git Cow gentoo-dev

2021-11-22 13:58:20 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5996958687948b4693324073f5114f19fd38b0e

commit e5996958687948b4693324073f5114f19fd38b0e
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2021-11-22 13:38:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-22 13:58:14 +0000

    sys-libs/musl: fix ldconfig on SELinux
    
    Replaced mv in ldconfig with cp/rm dance so that the correct
    SELinux label is applied to the resulting file and the system doesn't
    brick itself instantly.
    
    Bug: https://bugs.gentoo.org/663990
    Closes: https://bugs.gentoo.org/696818
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/23037
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-libs/musl/files/ldconfig.in-r2 | 157 ++++++++++++++++++++++++++++++++++
 sys-libs/musl/musl-1.2.2-r7.ebuild | 167 +++++++++++++++++++++++++++++++++++++
 2 files changed, 324 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2022-02-10 04:12:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4dc12af5875cb83833fc057ad78bc0910f0f16b1

commit 4dc12af5875cb83833fc057ad78bc0910f0f16b1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-10 04:11:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-10 04:11:38 +0000

    sys-libs/musl: stabilize 1.2.2-r7
    
    Contians some previous ldconfig fixes.
    
    Bug: https://bugs.gentoo.org/663990
    Bug: https://bugs.gentoo.org/696818
    Bug: https://bugs.gentoo.org/833018
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-libs/musl/musl-1.2.2-r7.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)