Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 696818

Summary: sys-libs/musl-1.1.23 /etc/ld-musl-x86_64.path ldconfig_tmp_t avc errors
Product: Gentoo Linux Reporter: lupus <lupusbytes>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: RESOLVED FIXED    
Severity: normal CC: blueness, jpds, lu_zero, musl, sam, toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=663990
https://bugs.gentoo.org/show_bug.cgi?id=833018
https://bugs.gentoo.org/show_bug.cgi?id=768552
Whiteboard:
Package list:
Runtime testing required: ---

Description lupus 2019-10-06 02:42:27 UTC 
I installed musl/hardened from the stage3 tarball. From there I switched to the musl/hardened/selinux profile and updated @world and followed various SELinux guides.
I am intending to run my system on a strict policy.
Right now it is still in a permissive state, as I'm trying to squash all the errors.
Upon booting my system, I get a huge amount of AVC errors. Most of them relating to /etc/ld-musl-x86_64.path, so i will post them here:
type=AVC msg=audit(1570326927.632:217): avc:  denied  { read } for  pid=20535 comm="init" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:shutdown_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326927.632:217): avc:  denied  { open } for  pid=20535 comm="init" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:shutdown_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.635:218): avc:  denied  { read } for  pid=20539 comm="telinit" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:init_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.635:218): avc:  denied  { open } for  pid=20539 comm="telinit" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:init_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.661:219): avc:  denied  { read } for  pid=20542 comm="local" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:initrc_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.661:219): avc:  denied  { open } for  pid=20542 comm="local" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:initrc_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.676:220): avc:  denied  { read } for  pid=20565 comm="cgroup-release-" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326928.676:220): avc:  denied  { open } for  pid=20565 comm="cgroup-release-" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.009:222): avc:  denied  { read } for  pid=20722 comm="umount" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:mount_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.009:222): avc:  denied  { open } for  pid=20722 comm="umount" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:mount_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.697:227): avc:  denied  { read } for  pid=21027 comm="swapoff" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:fsadm_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.697:227): avc:  denied  { open } for  pid=21027 comm="swapoff" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:fsadm_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.928:228): avc:  denied  { read } for  pid=21212 comm="udevadm" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:udev_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326929.928:228): avc:  denied  { open } for  pid=21212 comm="udevadm" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:udev_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326930.565:229): avc:  denied  { read } for  pid=21435 comm="auditctl" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:auditctl_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326930.565:229): avc:  denied  { open } for  pid=21435 comm="auditctl" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:auditctl_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326965.562:63): avc:  denied  { read } for  pid=4129 comm="audispd" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:audisp_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326965.562:64): avc:  denied  { open } for  pid=4129 comm="audispd" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:audisp_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326965.565:65): avc:  denied  { read } for  pid=4133 comm="auditctl" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:auditctl_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326965.565:65): avc:  denied  { open } for  pid=4133 comm="auditctl" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:auditctl_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326966.130:69): avc:  denied  { read } for  pid=4302 comm="modprobe" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:kmod_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326966.130:69): avc:  denied  { open } for  pid=4302 comm="modprobe" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:kmod_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326966.143:71): avc:  denied  { read } for  pid=4309 comm="dhcpcd-run-hook" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:dhcpc_script_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326966.143:71): avc:  denied  { open } for  pid=4309 comm="dhcpcd-run-hook" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:dhcpc_script_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326975.188:75): avc:  denied  { read } for  pid=4423 comm="mount" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:mount_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326975.188:75): avc:  denied  { open } for  pid=4423 comm="mount" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:mount_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326987.277:79): avc:  denied  { read } for  pid=4475 comm="unix_chkpwd" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:chkpwd_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326987.277:79): avc:  denied  { open } for  pid=4475 comm="unix_chkpwd" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:chkpwd_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326991.374:87): avc:  denied  { read } for  pid=4480 comm="sudo" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326991.374:87): avc:  denied  { open } for  pid=4480 comm="sudo" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326991.389:89): avc:  denied  { read } for  pid=4481 comm="unix_chkpwd" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:chkpwd_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326991.389:89): avc:  denied  { open } for  pid=4481 comm="unix_chkpwd" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:chkpwd_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326992.129:94): avc:  denied  { read } for  pid=4484 comm="su" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:sysadm_su_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570326992.129:94): avc:  denied  { open } for  pid=4484 comm="su" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=sysadm_u:sysadm_r:sysadm_su_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570327275.102:100): avc:  denied  { read } for  pid=4490 comm="dhcpcd-run-hook" name="ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:dhcpc_script_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1
type=AVC msg=audit(1570327275.102:100): avc:  denied  { open } for  pid=4490 comm="dhcpcd-run-hook" path="/etc/ld-musl-x86_64.path" dev="md0p1" ino=5505026 scontext=system_u:system_r:dhcpc_script_t tcontext=sysadm_u:object_r:ldconfig_tmp_t tclass=file permissive=1

I tried to switch accept ~amd64 on selinux-base and selinux-base-policy, but it had had no effect.
Comment 1 Larry the Git Cow gentoo-dev 2021-11-22 13:58:20 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5996958687948b4693324073f5114f19fd38b0e

commit e5996958687948b4693324073f5114f19fd38b0e
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2021-11-22 13:38:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-22 13:58:14 +0000

    sys-libs/musl: fix ldconfig on SELinux
    
    Replaced mv in ldconfig with cp/rm dance so that the correct
    SELinux label is applied to the resulting file and the system doesn't
    brick itself instantly.
    
    Bug: https://bugs.gentoo.org/663990
    Closes: https://bugs.gentoo.org/696818
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/23037
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-libs/musl/files/ldconfig.in-r2 | 157 ++++++++++++++++++++++++++++++++++
 sys-libs/musl/musl-1.2.2-r7.ebuild | 167 +++++++++++++++++++++++++++++++++++++
 2 files changed, 324 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-02-10 04:12:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4dc12af5875cb83833fc057ad78bc0910f0f16b1

commit 4dc12af5875cb83833fc057ad78bc0910f0f16b1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-10 04:11:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-10 04:11:38 +0000

    sys-libs/musl: stabilize 1.2.2-r7
    
    Contians some previous ldconfig fixes.
    
    Bug: https://bugs.gentoo.org/663990
    Bug: https://bugs.gentoo.org/696818
    Bug: https://bugs.gentoo.org/833018
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-libs/musl/musl-1.2.2-r7.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)