Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833018 - sys-devel/gcc-config-2.5-r1: Unable to set ld.so.conf correctly after GCC rebuild /update
Summary: sys-devel/gcc-config-2.5-r1: Unable to set ld.so.conf correctly after GCC reb...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: AMD64 Linux
: Normal major (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-10 03:16 UTC by Andrew Athalye
Modified: 2022-02-10 22:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Athalye 2022-02-10 03:16:17 UTC
Note: this is a relatively major issue as failure to update the ld.so.conf file leads to almost all C++ programs crashing with undefined symbols, including SELinux tools.

With the default policy on AMD64 hardened selinux musl (profile=37), gcc-config receives several errors preventing it from successfully updating the ld config.

These can be resolved with the following policy:
allow gcc_config_t gcc_config_t:capability { fowner dac_read_search };
allow gcc_config_t gcc_config_t:process { getsched };
allow gcc_config_t urandom_device_t:chr_file read_chr_file_perms;
allow gcc_config_t portage_t:file read_file_perms;
allow gcc_config_t portage_tmp_t:dir rw_dir_perms;
allow gcc_config_t portage_tmp_t:file manage_file_perms;

allow ldconfig_t urandom_device_t:chr_file read_chr_file_perms;
allow ldconfig_t ldconfig_t:capability { fowner };
allow ldconfig_t ldconfig_t:process { setfscreate };
allow ldconfig_t ld_so_cache_t:file { relabelfrom };

Reproducible: Always

Steps to Reproduce:
1. Emerge sys-devel/gcc-config
2. Observe that build fails, but ld config cannot be updated.
3. Attempt to launch a C++ application after a reboot - in a worst case scenario, it fails to load symbols and crashes.
Actual Results:  
The ld.so.conf file is not updated, although it should be, and as a result the gcc directory is not included and libgcc_s and libstdc++ cannot be used by applications.

Expected Results:  
The GCC directory should be added to ld.so.conf after gcc-config is emerged.

sec-policy/selinux-base-2.20210908-r1
sys-devel/gcc-config-2.5-r1
sys-libs/libselinux-3.3
sys-libs/musl-1.2.2-r6

Using gentoo-kernel 5.15.19 (gentoo dist, but not bin)
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-02-10 03:29:02 UTC
Please include emerge --info, as changes were made here recently.
Comment 2 Larry the Git Cow gentoo-dev 2022-02-10 04:12:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4dc12af5875cb83833fc057ad78bc0910f0f16b1

commit 4dc12af5875cb83833fc057ad78bc0910f0f16b1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-10 04:11:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-10 04:11:38 +0000

    sys-libs/musl: stabilize 1.2.2-r7
    
    Contians some previous ldconfig fixes.
    
    Bug: https://bugs.gentoo.org/663990
    Bug: https://bugs.gentoo.org/696818
    Bug: https://bugs.gentoo.org/833018
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-libs/musl/musl-1.2.2-r7.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-02-10 04:18:05 UTC
The raw AVC denials may still be useful. Does newer musl (just stabled) help?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-02-10 07:54:31 UTC
Ah: [06:21] <jpds> sam_: Already fixed in ~arch: https://github.com/perfinion/hardened-refpolicy/pull/26
Comment 5 Andrew Athalye 2022-02-10 22:33:06 UTC
Newer musl seems to maybe help with the ldconfig issues? I commented out all the rules for ldconfig_t and left only gcc_config_t, which led to errors still being produced in audit.log but otherwise the ld.so.conf was generated correctly. I am now able to send emerge --info directly and the raw AVCs, so I'll send those shortly.
Comment 6 Andrew Athalye 2022-02-10 22:40:48 UTC
I installed the ~arch reference policy and can confirm that the error has disappeared. Messages remain in the audit log about getsched, fowner, and dac_read_search being denied to gcc_config_t, however these do not affect the generation of the ld.so.conf file.