GNU bug report logs -
#17252
'install' is too noisy when running as confined SELinux user
Previous Next
Reported by: Enrico Scholz <enrico.scholz <at> ensc.de>
Date: Sat, 12 Apr 2014 18:32:02 UTC
Severity: normal
Tags: notabug
Done: Assaf Gordon <assafgordon <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 17252 in the body.
You can then email your comments to 17252 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#17252; Package
coreutils.
(Sat, 12 Apr 2014 18:32:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Enrico Scholz <enrico.scholz <at> ensc.de>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Sat, 12 Apr 2014 18:32:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
when working as a confined SELinux user, 'install' gives out
| $ install X Y
| install: warning: Y: failed to change context to system_u:object_r:build_file_t:s0: Permission denied
like messages for every file it tries to copy. This warning might be
useful when 'root' copies files into the / filesystem. But it is quite
annoying for a confined user who builds software and gets thousands of
these warnings during 'make install DESTDIR=...'. These warnings might
break automated buildsystems too.
Some background:
1. in a (local) .fc SELinux policy file, the directory where 'Y' shall
be created has a setup like
| <some-dir>(/.*)? gen_context(system_u:object_r:build_file_t,s0)
2. the confined SELinux user has a context of
| $ id -Z
| user_u:user_r:user_t:s0
3. the default SELinux policy has an identity change constraint[1] of
| constrain { dir file lnk_file sock_file fifo_file chr_file
| blk_file } { create relabelto relabelfrom }
| (
| u1 == u2
| or t1 == can_change_object_identity
| );
The 'can_change_object_identity' attribute is usually given to admin
and unconfined users only.
I am not sure why this constraint exist, but there are probably good
reasons for it.
4. the 'open("Y", ...|O_CREAT)' which is done by 'install X Y' creates
'Y' with the default directory context
| user_u:object_r:build_file_t
5. trying to change the context
- from 'user_u:object_r:build_file_t' (point 4)
- to 'system_u:object_r:build_file_t' (point 1)
is not possible, because this requires a user change from 'user_u' to
'system_u' which is prohibited by point 3.
I am not sure how to solve this perfectly. Perhaps the warning should
be printed with --verbose and/or for getuid()==0 only?
Enrico
Footnotes:
[1] http://selinuxproject.org/page/ConstraintStatements
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#17252; Package
coreutils.
(Sun, 13 Apr 2014 18:15:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 17252 <at> debbugs.gnu.org (full text, mbox):
On 04/12/2014 05:23 PM, Enrico Scholz wrote:
> Hi,
>
> when working as a confined SELinux user, 'install' gives out
>
> | $ install X Y
> | install: warning: Y: failed to change context to system_u:object_r:build_file_t:s0: Permission denied
>
> like messages for every file it tries to copy. This warning might be
> useful when 'root' copies files into the / filesystem. But it is quite
> annoying for a confined user who builds software and gets thousands of
> these warnings during 'make install DESTDIR=...'. These warnings might
> break automated buildsystems too.
>
>
> Some background:
>
> 1. in a (local) .fc SELinux policy file, the directory where 'Y' shall
> be created has a setup like
>
> | <some-dir>(/.*)? gen_context(system_u:object_r:build_file_t,s0)
>
> 2. the confined SELinux user has a context of
>
> | $ id -Z
> | user_u:user_r:user_t:s0
>
> 3. the default SELinux policy has an identity change constraint[1] of
>
> | constrain { dir file lnk_file sock_file fifo_file chr_file
> | blk_file } { create relabelto relabelfrom }
> | (
> | u1 == u2
> | or t1 == can_change_object_identity
> | );
>
> The 'can_change_object_identity' attribute is usually given to admin
> and unconfined users only.
>
> I am not sure why this constraint exist, but there are probably good
> reasons for it.
>
> 4. the 'open("Y", ...|O_CREAT)' which is done by 'install X Y' creates
> 'Y' with the default directory context
>
> | user_u:object_r:build_file_t
>
> 5. trying to change the context
>
> - from 'user_u:object_r:build_file_t' (point 4)
> - to 'system_u:object_r:build_file_t' (point 1)
>
> is not possible, because this requires a user change from 'user_u' to
> 'system_u' which is prohibited by point 3.
>
>
> I am not sure how to solve this perfectly. Perhaps the warning should
> be printed with --verbose and/or for getuid()==0 only?
>
>
>
> Enrico
>
> Footnotes:
> [1] http://selinuxproject.org/page/ConstraintStatements
Thanks for the very clear description of what's happening.
I'm not sure that install should be suppressing warnings here,
as it's trying to do something and failing, so we would
indicate this always I think.
Now there is the question is if what install is doing is entirely correct.
Note since coreutils 8.22 one can add the -Z option to install(1) to get a different
mode of setting the default file context for the installed destination file.
Snarfing the comment from the code:
/* [-Z will] Disable use of the install(1) specific setdefaultfilecon().
Note setdefaultfilecon() is different from the newer and more
generic restorecon() in that the former sets the context of
the dest files to that returned by matchpathcon directly,
thus [making an attempt at] discarding MLS level and user identity of the file.
TODO: consider removing setdefaultfilecon() in future. */
So perhaps the -Z option will behave as you want?
As noted in the comment maybe we should be doing this always,
at least for non root users?
thanks,
Pádraig.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#17252; Package
coreutils.
(Sat, 20 Oct 2018 03:22:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 17252 <at> debbugs.gnu.org (full text, mbox):
tags 17252 notabug
close 17252
stop
(triaging old bugs)
On 13/04/14 12:14 PM, Pádraig Brady wrote:
> On 04/12/2014 05:23 PM, Enrico Scholz wrote:
>>
>> when working as a confined SELinux user, 'install' gives out
>>
>> | $ install X Y
>> | install: warning: Y: failed to change context to system_u:object_r:build_file_t:s0: Permission denied
>>
[...]
> So perhaps the -Z option will behave as you want?
> As noted in the comment maybe we should be doing this always,
> at least for non root users?
With no further comments in 4 years, I'm closing this bug.
Discussion can continue by replying to this thread.
-assaf
Added tag(s) notabug.
Request was from
Assaf Gordon <assafgordon <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Sat, 20 Oct 2018 03:22:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
17252 <at> debbugs.gnu.org and Enrico Scholz <enrico.scholz <at> ensc.de>
Request was from
Assaf Gordon <assafgordon <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Sat, 20 Oct 2018 03:22:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 17 Nov 2018 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 219 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.