meson wrongly copies selinux attributes from build-dir to install location on "meson install"

[jwrdegoede]

I hit this when building mutter from source (master branch) on a Fedora Rawhide system.

After running the following from my mutter src dir: sudo ninja install -v -j4 -C x86_64-redhat-linux-gnu, which under the hood calls /usr/bin/meson install --no-rebuild, I get:

[hans@shalem mutter]$ ls -Z /usr/share/locale/nl/LC_MESSAGES/mutter.mo
unconfined_u:object_r:user_home_t:s0 /usr/share/locale/nl/LC_MESSAGES/mutter.mo

Which is surprising since normally when copying / installing a file the new copy gets new fresh selinux attributes, e.g.:

[hans@shalem mutter]$ sudo install -m644 -p /home/hans/projects/mutter/x86_64-redhat-linux-gnu/po/nl.gmo /usr/share/locale/nl/LC_MESSAGES/mutter.mo
[hans@shalem mutter]$ ls -Z /usr/share/locale/nl/LC_MESSAGES/mutter.mo
system_u:object_r:locale_t:s0 /usr/share/locale/nl/LC_MESSAGES/mutter.mo

meson copying over the existing selinux attributes leads to the installed file having the wrong selinux attributes which results in selinux denials e.g.:

type=AVC msg=audit(1565102209.902:113): avc:  denied  { map } for  pid=1751 comm="gnome-shell" path="/usr/share/locale/nl/LC_MESSAGES/gnome-shell.mo" dev="nvme0n1p2" ino=3543080 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1565102210.431:115): avc:  denied  { map } for  pid=1751 comm="gnome-shell" path="/usr/share/locale/nl/LC_MESSAGES/mutter.mo" dev="nvme0n1p2" ino=3540175 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Please fix meson to not copy over selinux attributes from the build-dir to the installation target.

[jpakkane]

I'm not an SELinux specialist by any measure but as far as I can remember, Meson runs restorecon (or whatever it was called) when installing files if it is available. Dunno if that should work and if yes, why things are broken.

This could potentially also be a Python behavioural change. We use Python standard library file copying operations to copy files and related attributes from build dir to install dir. Maybe that has changed in latest Pythons and now copies SELinux attributes as well?

[jwrdegoede]

Running restorecon after the install should do the trick.

Is there anyway how I can verify that this is happening / figure out why this is not happening?

[jpakkane]

I think the only way is to open mesonbuild/minstall.py and read the code. It's not a great solution but the file is only about 500 lines long...

[jwrdegoede]

On 08-08-19 12:30, Jussi Pakkanen wrote:

I think the only way is to open |mesonbuild/minstall.py| and read the code. It's not a great solution but the file is only about 500 lines long...

Ok, I've put taking a look at this on my to do list, but not at a very high place, so it will likely take a long time before I get around to this.

[jwrdegoede]

I'm sorry but I do not see myself having the time to investigate this further in the near future so I'm taking looking further into this of my todo list.

For other people hitting the same issue I'm currently using the following script as workaround:

sudo ninja install -v -j4 -C x86_64-redhat-linux-gnu
sudo restorecon -R /usr/share/locale

[ensc]

here, 'install' fails because relabelto (part of the install operation) is not allowed:

Installing .../1.0-r0/rootfs/usr/local/share/utun-tests
Traceback (most recent call last):
  File ".../recipe-sysroot-native/usr/lib/python3.7/site-packages/mesonbuild/mesonmain.py", line 127, in run
    return options.run_func(options)
  File ".../recipe-sysroot-native/usr/lib/python3.7/site-packages/mesonbuild/minstall.py", line 517, in run
    installer.do_install(datafilename)
  File ".../recipe-sysroot-native/usr/lib/python3.7/site-packages/mesonbuild/minstall.py", line 346, in do_install
    self.install_data(d)
  File ".../recipe-sysroot-native/usr/lib/python3.7/site-packages/mesonbuild/minstall.py", line 376, in install_data
    self.do_copyfile(fullfilename, outfilename)
  File ".../recipe-sysroot-native/usr/lib/python3.7/site-packages/mesonbuild/minstall.py", line 258, in do_copyfile
    shutil.copystat(from_file, to_file)
  File ".../recipe-sysroot-native/usr/lib/python3.7/shutil.py", line 209, in copystat
    _copyxattr(src, dst, follow_symlinks=follow)
  File ".../recipe-sysroot-native/usr/lib/python3.7/shutil.py", line 165, in _copyxattr
    os.setxattr(dst, name, value, follow_symlinks=follow_symlinks)
PermissionError: [Errno 13] Permission denied: '.../1.0-r0/rootfs/usr/local/share/utun-tests/test-00.lua'
FAILED: meson-install 
.../recipe-sysroot-native/usr/bin/meson install --no-rebuild

The AVC is

AVC avc:  denied  { relabelto } for  pid=3142083 comm="nativepython3" name="test-00.lua" dev="dm-20" ino=44850755 scontext=system_u:system_r:container_t:s0:c619,c897 tcontext=unconfined_u:object_r:build_file_t:s0 tclass=file permissive=0

Install should not try to copy original SELinux label. It should just copy the data and try to apply the context from the actual policy. In DESTDIR mode, failures to set the label should not be critical.

[ensc]

related: https://bugs.python.org/issue38893 + https://bugs.python.org/issue26328