[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#17252: 'install' is too noisy when running as confined SELinux user
|
From: |
Pádraig Brady |
|
Subject: |
bug#17252: 'install' is too noisy when running as confined SELinux user |
|
Date: |
Sun, 13 Apr 2014 19:14:36 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 |
On 04/12/2014 05:23 PM, Enrico Scholz wrote:
> Hi,
>
> when working as a confined SELinux user, 'install' gives out
>
> | $ install X Y
> | install: warning: Y: failed to change context to
> system_u:object_r:build_file_t:s0: Permission denied
>
> like messages for every file it tries to copy. This warning might be
> useful when 'root' copies files into the / filesystem. But it is quite
> annoying for a confined user who builds software and gets thousands of
> these warnings during 'make install DESTDIR=...'. These warnings might
> break automated buildsystems too.
>
>
> Some background:
>
> 1. in a (local) .fc SELinux policy file, the directory where 'Y' shall
> be created has a setup like
>
> | <some-dir>(/.*)? gen_context(system_u:object_r:build_file_t,s0)
>
> 2. the confined SELinux user has a context of
>
> | $ id -Z
> | user_u:user_r:user_t:s0
>
> 3. the default SELinux policy has an identity change constraint[1] of
>
> | constrain { dir file lnk_file sock_file fifo_file chr_file
> | blk_file } { create relabelto relabelfrom }
> | (
> | u1 == u2
> | or t1 == can_change_object_identity
> | );
>
> The 'can_change_object_identity' attribute is usually given to admin
> and unconfined users only.
>
> I am not sure why this constraint exist, but there are probably good
> reasons for it.
>
> 4. the 'open("Y", ...|O_CREAT)' which is done by 'install X Y' creates
> 'Y' with the default directory context
>
> | user_u:object_r:build_file_t
>
> 5. trying to change the context
>
> - from 'user_u:object_r:build_file_t' (point 4)
> - to 'system_u:object_r:build_file_t' (point 1)
>
> is not possible, because this requires a user change from 'user_u' to
> 'system_u' which is prohibited by point 3.
>
>
> I am not sure how to solve this perfectly. Perhaps the warning should
> be printed with --verbose and/or for getuid()==0 only?
>
>
>
> Enrico
>
> Footnotes:
> [1] http://selinuxproject.org/page/ConstraintStatements
Thanks for the very clear description of what's happening.
I'm not sure that install should be suppressing warnings here,
as it's trying to do something and failing, so we would
indicate this always I think.
Now there is the question is if what install is doing is entirely correct.
Note since coreutils 8.22 one can add the -Z option to install(1) to get a
different
mode of setting the default file context for the installed destination file.
Snarfing the comment from the code:
/* [-Z will] Disable use of the install(1) specific setdefaultfilecon().
Note setdefaultfilecon() is different from the newer and more
generic restorecon() in that the former sets the context of
the dest files to that returned by matchpathcon directly,
thus [making an attempt at] discarding MLS level and user identity of the
file.
TODO: consider removing setdefaultfilecon() in future. */
So perhaps the -Z option will behave as you want?
As noted in the comment maybe we should be doing this always,
at least for non root users?
thanks,
Pádraig.