Note: this is a relatively major issue as failure to update the ld.so.conf file leads to almost all C++ programs crashing with undefined symbols, including SELinux tools. With the default policy on AMD64 hardened selinux musl (profile=37), gcc-config receives several errors preventing it from successfully updating the ld config. These can be resolved with the following policy: allow gcc_config_t gcc_config_t:capability { fowner dac_read_search }; allow gcc_config_t gcc_config_t:process { getsched }; allow gcc_config_t urandom_device_t:chr_file read_chr_file_perms; allow gcc_config_t portage_t:file read_file_perms; allow gcc_config_t portage_tmp_t:dir rw_dir_perms; allow gcc_config_t portage_tmp_t:file manage_file_perms; allow ldconfig_t urandom_device_t:chr_file read_chr_file_perms; allow ldconfig_t ldconfig_t:capability { fowner }; allow ldconfig_t ldconfig_t:process { setfscreate }; allow ldconfig_t ld_so_cache_t:file { relabelfrom }; Reproducible: Always Steps to Reproduce: 1. Emerge sys-devel/gcc-config 2. Observe that build fails, but ld config cannot be updated. 3. Attempt to launch a C++ application after a reboot - in a worst case scenario, it fails to load symbols and crashes. Actual Results: The ld.so.conf file is not updated, although it should be, and as a result the gcc directory is not included and libgcc_s and libstdc++ cannot be used by applications. Expected Results: The GCC directory should be added to ld.so.conf after gcc-config is emerged. sec-policy/selinux-base-2.20210908-r1 sys-devel/gcc-config-2.5-r1 sys-libs/libselinux-3.3 sys-libs/musl-1.2.2-r6 Using gentoo-kernel 5.15.19 (gentoo dist, but not bin)
Please include emerge --info, as changes were made here recently.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4dc12af5875cb83833fc057ad78bc0910f0f16b1 commit 4dc12af5875cb83833fc057ad78bc0910f0f16b1 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-02-10 04:11:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-10 04:11:38 +0000 sys-libs/musl: stabilize 1.2.2-r7 Contians some previous ldconfig fixes. Bug: https://bugs.gentoo.org/663990 Bug: https://bugs.gentoo.org/696818 Bug: https://bugs.gentoo.org/833018 Signed-off-by: Sam James <sam@gentoo.org> sys-libs/musl/musl-1.2.2-r7.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
The raw AVC denials may still be useful. Does newer musl (just stabled) help?
Ah: [06:21] <jpds> sam_: Already fixed in ~arch: https://github.com/perfinion/hardened-refpolicy/pull/26
Newer musl seems to maybe help with the ldconfig issues? I commented out all the rules for ldconfig_t and left only gcc_config_t, which led to errors still being produced in audit.log but otherwise the ld.so.conf was generated correctly. I am now able to send emerge --info directly and the raw AVCs, so I'll send those shortly.
I installed the ~arch reference policy and can confirm that the error has disappeared. Messages remain in the audit log about getsched, fowner, and dac_read_search being denied to gcc_config_t, however these do not affect the generation of the ld.so.conf file.
I completed a musl install with SELinux strict yesterday, and did not see this issue. Tentatively marking as resolved, unless you find that this is incorrect.
