Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 663990 - ldconfig(musl) segfaults at Shebang because of selinux
Summary: ldconfig(musl) segfaults at Shebang because of selinux
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-18 18:14 UTC by Henry Kohli
Modified: 2022-02-10 04:14 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Henry Kohli 2018-08-18 18:14:55 UTC 
Hi,
This command segfaults at line 1 (shebang):
[code]
/sbin/ldconfig -X -r '/'
[/code]
from audit.log:
[code]type=AVC msg=audit(1534606873.509:10043): avc:  denied  { map } for  pid=21519 comm="ldconfig" path="/bin/bash" dev="sda2" ino=1310732 scontext=root:sysadm_r:ldconfig_t tcontext=system_u:object_r:shell_exec_t tclass=file permissive=0
type=SYSCALL msg=audit(1534606873.509:10043): arch=c000003e syscall=59 success=no exit=-13 a0=557b88fa3b20 a1=557b88fa1c80 a2=557b88fa0f00 a3=8 items=3 ppid=21518 pid=21519 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="ldconfig" exe="/bin/bash" subj=root:sysadm_r:ldconfig_t key=(null)
type=CWD msg=audit(1534606873.509:10043): cwd="/"
type=PATH msg=audit(1534606873.509:10043): item=0 name="/sbin/ldconfig" inode=1310830 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ldconfig_exec_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1534606873.509:10043): item=1 name="/bin/bash" inode=1310732 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1534606873.509:10043): item=2 name="/lib/ld-musl-x86_64.so.1" inode=796114 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1534606873.509:10043): proctitle="(null)"
type=ANOM_ABEND msg=audit(1534606873.509:10044): auid=0 uid=0 gid=0 ses=1 subj=root:sysadm_r:ldconfig_t pid=21519 comm="ldconfig" exe="/bin/bash" sig=11 res=1
[/code]

installed package versions are:
selinux-base-policy-2.20180701-r1
checkpolicy-2.8
policycoreutils-2.8
audit-2.8.2 (2.8.3 does not compile, undeclared identifier)
Comment 1 Henry Kohli 2018-08-18 18:20:50 UTC 
Forgot to mention this command and error is at always at the bottom of every build.log. E.g. when installing dbus.
executing
bash -e /sbin/ldconfig -X -r '/'
works. But
/sbin/ldconfig -X -r '/'
does not work.
Comment 2 Anthony Basile gentoo-dev 2018-08-19 00:12:34 UTC 
(In reply to henry-h from comment #1)
> Forgot to mention this command and error is at always at the bottom of every
> build.log. E.g. when installing dbus.
> executing
> bash -e /sbin/ldconfig -X -r '/'
> works. But
> /sbin/ldconfig -X -r '/'
> does not work.

This is an important bug.  Is it possible to get around this by writing the correct policy?
Comment 3 Henry Kohli 2018-08-19 09:04:35 UTC 
I tried to write a policy with the help of the selinux tutorial of the gentoo wiki:

policy_module(localpolicy, 1.0)
gen_require(`
 type ldconfig_t;
 type shell_exec_t;
 type bin_t; ') 
allow ldconfig_t shell_exec_t:file {map execute read}; 
allow ldconfig_t ldconfig_t:file {read}; 
allow ldconfig_t bin_t:file {getattr read execute open execute_no_trans};

Seems to work, audit.log remains free of ldconfig related errors.
Comment 4 Jason Zaman gentoo-dev 2018-08-31 03:23:07 UTC 
(In reply to henry-h from comment #3)
> I tried to write a policy with the help of the selinux tutorial of the
> gentoo wiki:
> 
> policy_module(localpolicy, 1.0)
> gen_require(`
>  type ldconfig_t;
>  type shell_exec_t;
>  type bin_t; ') 
> allow ldconfig_t shell_exec_t:file {map execute read}; 
> allow ldconfig_t ldconfig_t:file {read}; 
> allow ldconfig_t bin_t:file {getattr read execute open execute_no_trans};
> 
> Seems to work, audit.log remains free of ldconfig related errors.

Can you try this instead?

policy_module(localpolicy, 1.0)
gen_require(`
    type ldconfig_t;
')

corecmd_exec_shell(ldconfig_t)
corecmd_exec_bin(ldconfig_t)
allow ldconfig_t self:file read_file_perms;

I'm not sure the last should be needed. Can you try without first and if it doesnt work then add that read_file_perms line and test.
If that works i'll add them to the policy.
Comment 5 Mira Ressel 2018-10-06 22:32:17 UTC 
(In reply to Jason Zaman from comment #4)
> corecmd_exec_shell(ldconfig_t)
> corecmd_exec_bin(ldconfig_t)

Both are neccessary, and on top of it, we'll need
allow ldconfig_t self:fifo_file rw_fifo_file_perms;

The ldconfig in question is a custom shell script (found in /usr/portage/sys-libs/musl/files/ldconfig.in), so this should go in a distro_gentoo block.

However, this won't be sufficient. The script currently creates a new file in /tmp, where a filetrans will label it ldconfig_tmp_t, and then atomically moves it to /etc/ld-musl-ARCH.path, which we want to be labeled ld_so_cache_t. If the temporary file would have been created in /etc to begin with, it'd all work.

@blueness: Could you change the "mktemp -p /tmp ..." call in your ldconfig script to "mktemp -p /etc", please? That'd be the much simpler than any other solution of which I can think.

I don't see how this could call any problems. The script can't fail after the mktemp call unless something goes horribly wrong, so there's not even a risk of leaving stale temporary files behind.
Comment 6 Anthony Basile gentoo-dev 2018-12-28 22:17:46 UTC 
(In reply to Luis Ressel from comment #5)
> (In reply to Jason Zaman from comment #4)
> > corecmd_exec_shell(ldconfig_t)
> > corecmd_exec_bin(ldconfig_t)
> 
> Both are neccessary, and on top of it, we'll need
> allow ldconfig_t self:fifo_file rw_fifo_file_perms;
> 
> The ldconfig in question is a custom shell script (found in
> /usr/portage/sys-libs/musl/files/ldconfig.in), so this should go in a
> distro_gentoo block.
> 
> However, this won't be sufficient. The script currently creates a new file
> in /tmp, where a filetrans will label it ldconfig_tmp_t, and then atomically
> moves it to /etc/ld-musl-ARCH.path, which we want to be labeled
> ld_so_cache_t. If the temporary file would have been created in /etc to
> begin with, it'd all work.
> 
> @blueness: Could you change the "mktemp -p /tmp ..." call in your ldconfig
> script to "mktemp -p /etc", please? That'd be the much simpler than any
> other solution of which I can think.
> 
> I don't see how this could call any problems. The script can't fail after
> the mktemp call unless something goes horribly wrong, so there's not even a
> risk of leaving stale temporary files behind.


Sorry for the delay but I'm returning to this problem after working on other stuff.

I'm willing to make the change to ldconfig, but can someone add the necessary policy file, preferably incorporating it into an ebuild, so I can test it all out before committing.
Comment 7 Mira Ressel 2019-01-01 22:15:41 UTC 
(In reply to Anthony Basile from comment #6)
> I'm willing to make the change to ldconfig, but can someone add the
> necessary policy file, preferably incorporating it into an ebuild, so I can
> test it all out before committing.

perfinion already took care of that a while ago. The latest version (2.20180701-r2) of sec-policy/selinux-base-policy has the neccessary changes.
Comment 8 Larry the Git Cow gentoo-dev 2021-11-22 13:58:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5996958687948b4693324073f5114f19fd38b0e

commit e5996958687948b4693324073f5114f19fd38b0e
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2021-11-22 13:38:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-22 13:58:14 +0000

    sys-libs/musl: fix ldconfig on SELinux
    
    Replaced mv in ldconfig with cp/rm dance so that the correct
    SELinux label is applied to the resulting file and the system doesn't
    brick itself instantly.
    
    Bug: https://bugs.gentoo.org/663990
    Closes: https://bugs.gentoo.org/696818
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/23037
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-libs/musl/files/ldconfig.in-r2 | 157 ++++++++++++++++++++++++++++++++++
 sys-libs/musl/musl-1.2.2-r7.ebuild | 167 +++++++++++++++++++++++++++++++++++++
 2 files changed, 324 insertions(+)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-22 14:08:53 UTC 
I'm fairly sure this is actually the other bug (bug 696818) which we just fixed, but let's see.
Comment 10 Larry the Git Cow gentoo-dev 2022-02-10 04:12:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4dc12af5875cb83833fc057ad78bc0910f0f16b1

commit 4dc12af5875cb83833fc057ad78bc0910f0f16b1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-10 04:11:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-10 04:11:38 +0000

    sys-libs/musl: stabilize 1.2.2-r7
    
    Contians some previous ldconfig fixes.
    
    Bug: https://bugs.gentoo.org/663990
    Bug: https://bugs.gentoo.org/696818
    Bug: https://bugs.gentoo.org/833018
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-libs/musl/musl-1.2.2-r7.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)