bug#17252: 'install' is too noisy when running as confined SELinux user

[Enrico Scholz]

Hi,

when working as a confined SELinux user, 'install' gives out

| $ install X Y
| install: warning: Y: failed to change context to 
system_u:object_r:build_file_t:s0: Permission denied

like messages for every file it tries to copy.  This warning might be
useful when 'root' copies files into the / filesystem.  But it is quite
annoying for a confined user who builds software and gets thousands of
these warnings during 'make install DESTDIR=...'.  These warnings might
break automated buildsystems too.


Some background:

1. in a (local) .fc SELinux policy file, the directory where 'Y' shall
   be created has a setup like

   | <some-dir>(/.*)?   gen_context(system_u:object_r:build_file_t,s0)

2. the confined SELinux user has a context of

   | $ id -Z
   | user_u:user_r:user_t:s0

3. the default SELinux policy has an identity change constraint[1] of

   | constrain { dir file lnk_file sock_file fifo_file chr_file 
   | blk_file } { create relabelto relabelfrom } 
   | (
   | u1 == u2
   | or t1 == can_change_object_identity
   | );

   The 'can_change_object_identity' attribute is usually given to admin
   and unconfined users only.

   I am not sure why this constraint exist, but there are probably good
   reasons for it.

4. the 'open("Y", ...|O_CREAT)' which is done by 'install X Y' creates
   'Y' with the default directory context

   | user_u:object_r:build_file_t

5. trying to change the context

   - from 'user_u:object_r:build_file_t' (point 4) 
   - to 'system_u:object_r:build_file_t' (point 1)

   is not possible, because this requires a user change from 'user_u' to
   'system_u' which is prohibited by point 3.


I am not sure how to solve this perfectly.  Perhaps the warning should
be printed with --verbose and/or for getuid()==0 only?



Enrico

Footnotes: 
[1]  http://selinuxproject.org/page/ConstraintStatements