From unknown Sun Jun 22 22:46:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#17252: 'install' is too noisy when running as confined SELinux user Resent-From: Enrico Scholz Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sat, 12 Apr 2014 18:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 17252 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 17252@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.139732749922060 (code B ref -1); Sat, 12 Apr 2014 18:32:02 +0000 Received: (at submit) by debbugs.gnu.org; 12 Apr 2014 18:31:39 +0000 Received: from localhost ([127.0.0.1]:46417 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WZ2iH-0005jh-M9 for submit@debbugs.gnu.org; Sat, 12 Apr 2014 14:31:38 -0400 Received: from eggs.gnu.org ([208.118.235.92]:53825) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WZ130-0002aV-Fr for submit@debbugs.gnu.org; Sat, 12 Apr 2014 12:44:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WZ12n-0003w8-NX for submit@debbugs.gnu.org; Sat, 12 Apr 2014 12:44:48 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:44734) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WZ12n-0003w4-KX for submit@debbugs.gnu.org; Sat, 12 Apr 2014 12:44:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55541) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WZ12h-00057E-At for bug-coreutils@gnu.org; Sat, 12 Apr 2014 12:44:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WZ12b-0003u5-29 for bug-coreutils@gnu.org; Sat, 12 Apr 2014 12:44:35 -0400 Received: from moutng.kundenserver.de ([212.227.126.131]:57735) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WZ12a-0003tI-Ou for bug-coreutils@gnu.org; Sat, 12 Apr 2014 12:44:28 -0400 Received: from mail.bigo.ensc.de (p54ADF620.dip0.t-ipconnect.de [84.173.246.32]) by mrelayeu.kundenserver.de (node=mreue007) with ESMTP (Nemesis) id 0M31EZ-1Ws3Uj1Uox-00srHy; Sat, 12 Apr 2014 18:44:26 +0200 Received: from sheridan.bigo.ensc.de (sheridan.bigo.ensc.de [192.168.46.11]) by mail.bigo.ensc.de (8.14.4/8.14.4) with ESMTP id s3CGiPMj027035 for ; Sat, 12 Apr 2014 18:44:25 +0200 Received: from ensc by sheridan.bigo.ensc.de with local (Exim 4.80.1) (envelope-from ) id 1WZ12X-00047y-4P for bug-coreutils@gnu.org; Sat, 12 Apr 2014 18:44:25 +0200 Resent-To: bug-coreutils@gnu.org Resent-From: Enrico Scholz Resent-Date: Sat, 12 Apr 2014 18:44:25 +0200 Resent-Message-ID: <87vbuemr9y.fsf@sheridan.bigo.ensc.de> From: Enrico Scholz Date: Sat, 12 Apr 2014 18:23:30 +0200 Message-ID: <87y4zams8t.fsf@sheridan.bigo.ensc.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Lines: 65 Resent-Sender: Enrico Scholz X-Provags-ID: V02:K0:MS18n/h348ptkyP8YM6cg3qHU/pEeDa7T8tw3rFhPPH xCu+3IILyd6HEJqZdKq2B6OEdtAN/PDZAyAyDF4FVv+lCQXSEP YFxjFtXnNK0e17YFVJTiZ0C5n9iExjJDMRcwyKeKKupRaNetVz OcB8GH1BJiuHEcVYbVvJP1XReRCybb2IfpVBfhIzWSAQS+n5Qi iqDKt0XOndvdPpeCKWMjeeoRfK0NkioK2f3UYcCGrusZQXxK8b 65vSJUFVpjht5IrMDHvhqDbhcUeoPL1LIFGeIY5pfFX8UEfgBB vy4fIaovhxx36kva/qZTcHQ7su2PqhZU0w575ZZz47apOlPHYU JgaflUECbFnsu/n7VfYPLQxcac9MmbXJKnmZtpPSe X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Mailman-Approved-At: Sat, 12 Apr 2014 14:31:36 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi, when working as a confined SELinux user, 'install' gives out | $ install X Y | install: warning: Y: failed to change context to system_u:object_r:build_file_t:s0: Permission denied like messages for every file it tries to copy. This warning might be useful when 'root' copies files into the / filesystem. But it is quite annoying for a confined user who builds software and gets thousands of these warnings during 'make install DESTDIR=...'. These warnings might break automated buildsystems too. Some background: 1. in a (local) .fc SELinux policy file, the directory where 'Y' shall be created has a setup like | (/.*)? gen_context(system_u:object_r:build_file_t,s0) 2. the confined SELinux user has a context of | $ id -Z | user_u:user_r:user_t:s0 3. the default SELinux policy has an identity change constraint[1] of | constrain { dir file lnk_file sock_file fifo_file chr_file | blk_file } { create relabelto relabelfrom } | ( | u1 == u2 | or t1 == can_change_object_identity | ); The 'can_change_object_identity' attribute is usually given to admin and unconfined users only. I am not sure why this constraint exist, but there are probably good reasons for it. 4. the 'open("Y", ...|O_CREAT)' which is done by 'install X Y' creates 'Y' with the default directory context | user_u:object_r:build_file_t 5. trying to change the context - from 'user_u:object_r:build_file_t' (point 4) - to 'system_u:object_r:build_file_t' (point 1) is not possible, because this requires a user change from 'user_u' to 'system_u' which is prohibited by point 3. I am not sure how to solve this perfectly. Perhaps the warning should be printed with --verbose and/or for getuid()==0 only? Enrico Footnotes: [1] http://selinuxproject.org/page/ConstraintStatements From unknown Sun Jun 22 22:46:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#17252: 'install' is too noisy when running as confined SELinux user Resent-From: =?UTF-8?Q?P=C3=A1draig?= Brady Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sun, 13 Apr 2014 18:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17252 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Enrico Scholz Cc: 17252@debbugs.gnu.org, Daniel J Walsh Received: via spool by 17252-submit@debbugs.gnu.org id=B17252.13974128877220 (code B ref 17252); Sun, 13 Apr 2014 18:15:01 +0000 Received: (at 17252) by debbugs.gnu.org; 13 Apr 2014 18:14:47 +0000 Received: from localhost ([127.0.0.1]:47321 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WZOvW-0001sO-VD for submit@debbugs.gnu.org; Sun, 13 Apr 2014 14:14:47 -0400 Received: from mx1.redhat.com ([209.132.183.28]:22976) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WZOvU-0001sB-7s for 17252@debbugs.gnu.org; Sun, 13 Apr 2014 14:14:45 -0400 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3DIEgmh026547 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 13 Apr 2014 14:14:42 -0400 Received: from [10.36.116.35] (ovpn-116-35.ams2.redhat.com [10.36.116.35]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s3DIEb3M019536 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sun, 13 Apr 2014 14:14:39 -0400 Message-ID: <534AD40C.40808@draigBrady.com> Date: Sun, 13 Apr 2014 19:14:36 +0100 From: =?UTF-8?Q?P=C3=A1draig?= Brady User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 MIME-Version: 1.0 References: <87y4zams8t.fsf@sheridan.bigo.ensc.de> In-Reply-To: <87y4zams8t.fsf@sheridan.bigo.ensc.de> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) On 04/12/2014 05:23 PM, Enrico Scholz wrote: > Hi, > > when working as a confined SELinux user, 'install' gives out > > | $ install X Y > | install: warning: Y: failed to change context to system_u:object_r:build_file_t:s0: Permission denied > > like messages for every file it tries to copy. This warning might be > useful when 'root' copies files into the / filesystem. But it is quite > annoying for a confined user who builds software and gets thousands of > these warnings during 'make install DESTDIR=...'. These warnings might > break automated buildsystems too. > > > Some background: > > 1. in a (local) .fc SELinux policy file, the directory where 'Y' shall > be created has a setup like > > | (/.*)? gen_context(system_u:object_r:build_file_t,s0) > > 2. the confined SELinux user has a context of > > | $ id -Z > | user_u:user_r:user_t:s0 > > 3. the default SELinux policy has an identity change constraint[1] of > > | constrain { dir file lnk_file sock_file fifo_file chr_file > | blk_file } { create relabelto relabelfrom } > | ( > | u1 == u2 > | or t1 == can_change_object_identity > | ); > > The 'can_change_object_identity' attribute is usually given to admin > and unconfined users only. > > I am not sure why this constraint exist, but there are probably good > reasons for it. > > 4. the 'open("Y", ...|O_CREAT)' which is done by 'install X Y' creates > 'Y' with the default directory context > > | user_u:object_r:build_file_t > > 5. trying to change the context > > - from 'user_u:object_r:build_file_t' (point 4) > - to 'system_u:object_r:build_file_t' (point 1) > > is not possible, because this requires a user change from 'user_u' to > 'system_u' which is prohibited by point 3. > > > I am not sure how to solve this perfectly. Perhaps the warning should > be printed with --verbose and/or for getuid()==0 only? > > > > Enrico > > Footnotes: > [1] http://selinuxproject.org/page/ConstraintStatements Thanks for the very clear description of what's happening. I'm not sure that install should be suppressing warnings here, as it's trying to do something and failing, so we would indicate this always I think. Now there is the question is if what install is doing is entirely correct. Note since coreutils 8.22 one can add the -Z option to install(1) to get a different mode of setting the default file context for the installed destination file. Snarfing the comment from the code: /* [-Z will] Disable use of the install(1) specific setdefaultfilecon(). Note setdefaultfilecon() is different from the newer and more generic restorecon() in that the former sets the context of the dest files to that returned by matchpathcon directly, thus [making an attempt at] discarding MLS level and user identity of the file. TODO: consider removing setdefaultfilecon() in future. */ So perhaps the -Z option will behave as you want? As noted in the comment maybe we should be doing this always, at least for non root users? thanks, Pádraig. From unknown Sun Jun 22 22:46:52 2025 X-Loop: help-debbugs@gnu.org Subject: bug#17252: 'install' is too noisy when running as confined SELinux user Resent-From: Assaf Gordon Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sat, 20 Oct 2018 03:22:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17252 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 17252@debbugs.gnu.org Received: via spool by 17252-submit@debbugs.gnu.org id=B17252.154000568514964 (code B ref 17252); Sat, 20 Oct 2018 03:22:01 +0000 Received: (at 17252) by debbugs.gnu.org; 20 Oct 2018 03:21:25 +0000 Received: from localhost ([127.0.0.1]:60112 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gDhpM-0003tC-LK for submit@debbugs.gnu.org; Fri, 19 Oct 2018 23:21:24 -0400 Received: from mail-it1-f194.google.com ([209.85.166.194]:39852) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gDhpJ-0003sn-NV; Fri, 19 Oct 2018 23:21:23 -0400 Received: by mail-it1-f194.google.com with SMTP id m15so6724748itl.4; Fri, 19 Oct 2018 20:21:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=BnlrC3lLdfJ/Xo1L2orf0GK4p1eS4DNiIeKQAfRjWzs=; b=cdHJQirOeYBVWIL66eld0W+t8b5V3BytCtsZQEVpE0i8vDos5VhBZ8tlB/KgbZPzEm BbMMESjzaeGduP3bZzo+xNG3KVhfgX1mu5sVNCWciV4d95wMYkewnCsS7CrcB5VV8X/Q rtmUQN847c6On/ISJrN0wKp7k8rOG2G6CdKrMHSbsE3RioAv9tCDq6Js1JcLN+M+1/Ke ajqy5BflnLf5jUMX4st5yzjDiBvv83cZ/H2UocOs6aBuNI/DKXqhNsR97ImzC3ULp/cE 3TWJYSMUMiBWWsFE5a0cX4KGEFDouZsJZWR0w1cm/UfEORVF5VArKwhSKbkJEn2/0UAN cuGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=BnlrC3lLdfJ/Xo1L2orf0GK4p1eS4DNiIeKQAfRjWzs=; b=qo9ci9+hWUY0quaD2piBX+MNobR8X01am5dHbMyevS6gQdMMa5syDEkPFGMknmRVbX 53ngX5LvSRfvwa1YAbm8CCuGxALqFqlkh+6WK2/yyX3Xo0dR6gNw4FpI/WrIsKGemega Mp4yOBCegYdjYDvi5ZeSGQ9z1vJmDIlEHf1P5m/aBDQYHngfm+sK0i6iVQ5M6y2zGEMl 7RyEd6wCKR2bgoeal+Fj/rqUOu/xQwTo+RduG7cW2N1B/c94ZntaRNw57jQymjdLii25 w/7gRGf21ttxFzPQmsL319w77s69DGAktuVU6WTEWQj8blAbTPrYjY8W2ujd3CNWb1k3 Jz0Q== X-Gm-Message-State: ABuFfogN58OAxYOXwfVozyV1XuXB0CPC6xSv6EZ+RoYlyiByiSNw8Log zM90iGORevRh+uDJLVBi5pZpNXoz21E= X-Google-Smtp-Source: ACcGV63sdM6AFkaUwRjcYtLxC2raZCHDxGUuZxydSu0ls/BAwmfVf2r0M9nqgdSUYzP2AZB8qaJt3g== X-Received: by 2002:a24:2c0d:: with SMTP id i13-v6mr4469719iti.2.1540005675791; Fri, 19 Oct 2018 20:21:15 -0700 (PDT) Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38]) by smtp.googlemail.com with ESMTPSA id i17-v6sm911024iog.56.2018.10.19.20.21.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Oct 2018 20:21:14 -0700 (PDT) References: <87y4zams8t.fsf@sheridan.bigo.ensc.de> <534AD40C.40808@draigBrady.com> From: Assaf Gordon Message-ID: <49bc8f2a-b05a-daff-eb08-cfdb54d06707@gmail.com> Date: Fri, 19 Oct 2018 21:21:13 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <534AD40C.40808@draigBrady.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 17252 notabug close 17252 stop (triaging old bugs) On 13/04/14 12:14 PM, Pádraig Brady wrote: > On 04/12/2014 05:23 PM, Enrico Scholz wrote: >> >> when working as a confined SELinux user, 'install' gives out >> >> | $ install X Y >> | install: warning: Y: failed to change context to system_u:object_r:build_file_t:s0: Permission denied >> [...] > So perhaps the -Z option will behave as you want? > As noted in the comment maybe we should be doing this always, > at least for non root users? With no further comments in 4 years, I'm closing this bug. Discussion can continue by replying to this thread. -assaf