Hi,
when working as a confined SELinux user, 'install' gives out
| $ install X Y
| install: warning: Y: failed to change context to
system_u:object_r:build_file_t:s0: Permission denied
like messages for every file it tries to copy. This warning might be
useful when 'root' copies files into the / filesystem. But it is quite
annoying for a confined user who builds software and gets thousands of
these warnings during 'make install DESTDIR=...'. These warnings might
break automated buildsystems too.
Some background:
1. in a (local) .fc SELinux policy file, the directory where 'Y' shall
be created has a setup like
| <some-dir>(/.*)? gen_context(system_u:object_r:build_file_t,s0)
2. the confined SELinux user has a context of
| $ id -Z
| user_u:user_r:user_t:s0
3. the default SELinux policy has an identity change constraint[1] of
| constrain { dir file lnk_file sock_file fifo_file chr_file
| blk_file } { create relabelto relabelfrom }
| (
| u1 == u2
| or t1 == can_change_object_identity
| );
The 'can_change_object_identity' attribute is usually given to admin
and unconfined users only.
I am not sure why this constraint exist, but there are probably good
reasons for it.
4. the 'open("Y", ...|O_CREAT)' which is done by 'install X Y' creates
'Y' with the default directory context
| user_u:object_r:build_file_t
5. trying to change the context
- from 'user_u:object_r:build_file_t' (point 4)
- to 'system_u:object_r:build_file_t' (point 1)
is not possible, because this requires a user change from 'user_u' to
'system_u' which is prohibited by point 3.
I am not sure how to solve this perfectly. Perhaps the warning should
be printed with --verbose and/or for getuid()==0 only?
Enrico
Footnotes:
[1] http://selinuxproject.org/page/ConstraintStatements
