SELinux - copying ISO file content
jim at meyering.net
Wed Oct 8 16:10:26 UTC 2008
Daniel J Walsh <dwalsh at redhat.com> wrote:
> David P. Quigley wrote:
>> I think the main question here is should archive try to retain the
>> SELinux context. From what I've heard from people here, initially the
>> idea was to try to preserve the context and if that failed fall back to
>> labeling based on the parent. That doesn't seem to be what cp is trying
>> to do. If we removed the retain the context part from the archive switch
>> of cp you would get labeling based on the parent but then you would be
>> required to explicitly specify preserve the context when you wanted to
>> archive that as well.
>> It doesn't seem like anyone is actually depending on the associate
>> permission so it might be worth someone looking into removing it if no
>> one is really using it. It has its applications but I don't believe Red
>> Hat is using it at this time.
> That is fine with me but I would like to get the opinion of upstream
> Jim what do you think?
Since I merged SELinux support into upstream coreutils,
(for coreutils-6.9.91, released 2007-12-15; latest is coreutils-7.0,
its cp -a has *not* attempted to preserve SELinux context.
There was some debate about changing that, since cp -a has
always been equivalent to "cp -dpR", and some were reluctant
to change that.
To get SELinux-context-preserving behavior, you currently have two options:
use --preserve=context to require that cp preserve each
file's context. Failure to do so makes cp end up exiting nonzero.
use --preserve=all to make cp _attempt_ to preserve context.
Failure gets a diagnostic, but does not evoke nonzero exit status.
Just yesterday, Ondřej Vašík proposed a patch to change cp -a
from being equivalent to "cp -dpR" to being equivalent to
"cp -dR --preserve=all", which would be in line with this year-old
description from NEWS:
* "cp -a" works with SELinux:
Now, cp -a attempts to preserve context, but failure to do so does
not change cp's exit status. However "cp --preserve=context" is
similar, but failure *does* cause cp to exit with nonzero status.
I'll have to run some tests before deciding on this,
to see if such a change would result in many new diagnostics
about failure to preserve context.
More information about the devel