Hi, when working as a confined SELinux user, 'install' gives out
| $ install X Y | install: warning: Y: failed to change context to system_u:object_r:build_file_t:s0: Permission denied like messages for every file it tries to copy. This warning might be useful when 'root' copies files into the / filesystem. But it is quite annoying for a confined user who builds software and gets thousands of these warnings during 'make install DESTDIR=...'. These warnings might break automated buildsystems too. Some background: 1. in a (local) .fc SELinux policy file, the directory where 'Y' shall be created has a setup like | <some-dir>(/.*)? gen_context(system_u:object_r:build_file_t,s0) 2. the confined SELinux user has a context of | $ id -Z | user_u:user_r:user_t:s0 3. the default SELinux policy has an identity change constraint[1] of | constrain { dir file lnk_file sock_file fifo_file chr_file | blk_file } { create relabelto relabelfrom } | ( | u1 == u2 | or t1 == can_change_object_identity | ); The 'can_change_object_identity' attribute is usually given to admin and unconfined users only. I am not sure why this constraint exist, but there are probably good reasons for it. 4. the 'open("Y", ...|O_CREAT)' which is done by 'install X Y' creates 'Y' with the default directory context | user_u:object_r:build_file_t 5. trying to change the context - from 'user_u:object_r:build_file_t' (point 4) - to 'system_u:object_r:build_file_t' (point 1) is not possible, because this requires a user change from 'user_u' to 'system_u' which is prohibited by point 3. I am not sure how to solve this perfectly. Perhaps the warning should be printed with --verbose and/or for getuid()==0 only? Enrico Footnotes: [1] http://selinuxproject.org/page/ConstraintStatements