738546 – sec-policy/selinux-base-policy: sys-apps/portage triggers selinux when conftest from building package hits /dev/zero (was: dev-libs/apr-1.7.0-r1 fails to build with selinux targeted enforcing)

Bug 738546 - sec-policy/selinux-base-policy: sys-apps/portage triggers selinux when conftest from building package hits /dev/zero (was: dev-libs/apr-1.7.0-r1 fails to build with selinux targeted enforcing)

Summary: sec-policy/selinux-base-policy: sys-apps/portage triggers selinux when confte...

Status:	RESOLVED TEST-REQUEST

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:	2.20210908-r1
Keywords:	PATCH

Duplicates (1):	796182 (view as bug list)
Depends on:
Blocks:	796182
	Show dependency tree

Reported:	2020-08-22 09:25 UTC by Graham E
Modified:	2022-01-09 09:09 UTC (History)
CC List:	5 users (show)

See Also:	665376 830833
Package list:
Runtime testing required:	---

Attachments
selinux policy to enable apr to build (conftest-local.te,557 bytes, text/plain) 2020-08-22 09:31 UTC, Graham E	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Graham E 2020-08-22 09:25:34 UTC

With selinux in enforcing mode (targeted) the apr package fails to build with the following error.

locks/unix/proc_mutex.c: In function ‘proc_mutex_choose_method’:
locks/unix/proc_mutex.c:1494:28: error: ‘mutex_proc_pthread_methods’ undeclared (first use in this function); did you mean ‘mutex_posixsem_methods’?
 1494 |         new_mutex->meth = &mutex_proc_pthread_methods;

There are audit denies relating to accessing /dev/zero using process conftest.

Reproducible: Always

Steps to Reproduce:
1.update portage tree
2.ensure selinux is in enforcing mode
3.run emerge -uavDN @world
Actual Results:  
locks/unix/proc_mutex.c: In function ‘proc_mutex_choose_method’:
locks/unix/proc_mutex.c:1494:28: error: ‘mutex_proc_pthread_methods’ undeclared (first use in this function); did you mean ‘mutex_posixsem_methods’?
 1494 |         new_mutex->meth = &mutex_proc_pthread_methods;


Expected Results:  
Build is successful and merged

Disabling selinux allows the build to complete as expected.

Comment 1 Graham E 2020-08-22 09:27:36 UTC

Portage 2.3.103 (python 3.7.8-final-0, default/linux/amd64/17.1/hardened/selinux, gcc-9.3.0, glibc-2.31-r6, 5.4.28-gentoo x86_64)
=================================================================
System uname: Linux-5.4.28-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_E3-1245_V2_@_3.40GHz-with-gentoo-2.6
KiB Mem:     2031400 total,    633428 free
KiB Swap:    4194300 total,   4161276 free
Timestamp of repository gentoo: Thu, 20 Aug 2020 17:05:43 +0000
Head commit of repository gentoo: 2b125300eee1de2afa6b621902b27f0d074cf542

sh bash 5.0_p17
ld GNU ld (Gentoo 2.33.1 p2) 2.33.1
app-shells/bash:          5.0_p17::gentoo
dev-java/java-config:     2.3.1::gentoo
dev-lang/perl:            5.30.3::gentoo
dev-lang/python:          2.7.18-r1::gentoo, 3.7.8-r2::gentoo, 3.8.5::gentoo
dev-util/cmake:           3.16.5::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/openrc:          0.42.1::gentoo
sys-apps/sandbox:         2.18::gentoo
sys-devel/autoconf:       2.69-r4::gentoo
sys-devel/automake:       1.16.1-r1::gentoo
sys-devel/binutils:       2.33.1-r1::gentoo
sys-devel/gcc:            9.3.0-r1::gentoo
sys-devel/gcc-config:     2.3.1::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 5.4-r1::gentoo (virtual/os-headers)
sys-libs/glibc:           2.31-r6::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/gentoo.git
    priority: -1000

localrepo
    location: /usr/local/Overlay
    masters: gentoo

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -mtune=generic"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /etc/apache2/modules.d/80_modsecurity-crs.conf /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.3/ext-active/ /etc/php/apache2-php7.4/ext-active/ /etc/php/cgi-php7.3/ext-active/ /etc/php/cgi-php7.4/ext-active/ /etc/php/cli-php7.3/ext-active/ /etc/php/cli-php7.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -mtune=generic"
DISTDIR="/usr/portage/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned qa-unresolved-soname-deps sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://www.mirrorservice.org/sites/www.ibiblio.org/gentoo/ http://gentoo.virginmedia.com/ "
LANG="en_GB.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en_GB"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_BINHOST="https://binhost.hhcl.org/xen4-selinux/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 bzip2 crypt hardened iconv ipv6 kerberos libglvnd libtirpc mmx multilib ncurses nls nptl open_perms openmp pam pcre peer_perms pie readline seccomp selinux split-usr sse sse2 ssl ssp static-libs threads unconfined unicode vhosts vim-syntax xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2 php7-3" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python2_7 python3_7" RUBY_TARGETS="ruby25" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 2 Graham E 2020-08-22 09:29:35 UTC

The following selinux policy allows dev-libs/apr-1.7.0-r1 to build:

module conftest-local 1.0;

require {
	type zero_device_t;
	type unreserved_port_t;
	type node_t;
	type portage_sandbox_t;
	class chr_file map;
	class tcp_socket { name_connect node_bind };
}

#============= portage_sandbox_t ==============

#!!!! This avc can be allowed using the boolean 'portage_enable_test'
allow portage_sandbox_t node_t:tcp_socket node_bind;

#!!!! This avc can be allowed using the boolean 'portage_enable_test'
allow portage_sandbox_t unreserved_port_t:tcp_socket name_connect;
allow portage_sandbox_t zero_device_t:chr_file map;

Comment 3 Graham E 2020-08-22 09:31:33 UTC

Created attachment 656062 [details]
selinux policy to enable apr to build

Comment 4 Michael Hofmann 2020-08-22 15:07:50 UTC

Another case: https://forums.gentoo.org/viewtopic-t-1117922.html

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2020-08-23 01:17:04 UTC

Portage's SELinux rules are defined in sec-policy/selinux-base-policy, assigning to SELinux project.

Comment 6 yesi 2021-08-10 11:52:27 UTC

(In reply to Graham E from comment #2)
> The following selinux policy allows dev-libs/apr-1.7.0-r1 to build:
> 
> module conftest-local 1.0;
> 
> require {
> 	type zero_device_t;
> 	type unreserved_port_t;
> 	type node_t;
> 	type portage_sandbox_t;
> 	class chr_file map;
> 	class tcp_socket { name_connect node_bind };
> }
> 
> #============= portage_sandbox_t ==============
> 
> #!!!! This avc can be allowed using the boolean 'portage_enable_test'
> allow portage_sandbox_t node_t:tcp_socket node_bind;
> 
> #!!!! This avc can be allowed using the boolean 'portage_enable_test'
> allow portage_sandbox_t unreserved_port_t:tcp_socket name_connect;
> allow portage_sandbox_t zero_device_t:chr_file map;

Here is mine : https://bugs.gentoo.org/796182

It does work for me.

Comment 7 yesi 2021-08-10 11:53:35 UTC

I disabled the policies after compiling.

Comment 8 Graham E 2021-08-11 09:28:25 UTC

(In reply to yesi from comment #7)
> I disabled the policies after compiling.

Hi,

I'm glad this still works. 

I left the policy in place, but from memory it was only the last allow statement (allow portage_sandbox_t zero_device_t:chr_file map;) which was required to allow the configure script to work detecting /dev/zero, and then the compile worked as expected.

Comment 9 yesi 2021-08-12 14:49:38 UTC

> allow portage_sandbox_t zero_device_t:chr_file map;

I confirm. :-)

Comment 10 yesi 2021-08-12 14:54:03 UTC

*** Bug 796182 has been marked as a duplicate of this bug. ***

Comment 11 Larry the Git Cow gentoo-dev

2021-11-21 23:20:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=192f62919b5866ad4de5558b7a69f03f81ed4ad3

commit 192f62919b5866ad4de5558b7a69f03f81ed4ad3
Author:     Jason Zaman <perfinion@gentoo.org>
AuthorDate: 2021-11-21 23:12:40 +0000
Commit:     Jason Zaman <perfinion@gentoo.org>
CommitDate: 2021-11-21 23:14:49 +0000

    portage: Allow sandbox to map /dev/zero
    
    Bug: https://bugs.gentoo.org/738546
    Signed-off-by: Jason Zaman <perfinion@gentoo.org>

 policy/modules/admin/portage.te | 1 +
 1 file changed, 1 insertion(+)

Comment 12 Jason Zaman gentoo-dev

2021-11-22 01:20:15 UTC

map /dev/zero is added in the 2.20210908-r1 policies :)