Image of the glider from the Game of Life by John Conway
Skip to content

Copy Magic Under RHEL5.1?

Being an instructor for Guru Labs, I have the opportunity to not only teach Guru Labs courseware, but also contracted work with Red Hat, HP, IBM, Oracle and others. This week, I'm out in Atlanta, Georgia teaching the RH300 Rapid Track course for students to earn their RHCE. During one of the labs, we noticed the following anomoly with the 'cp' command under RHEL5.1. As such, I'm wondering if anyone has some insight as to what is going on. Consider the following scenario:

SELinux is running in Enforcing mode. A new index.html file is created in a user's home directory. As such, SELinux will label the type context as 'user_home_t'. If I were to copy this file to /var/www/html/ with -p as a switch, it should preserve the context as per the man page:

-p same as --preserve=mode,ownership,timestamps

--preserve[=ATTR_LIST]
preserve the specified attributes (default: mode,owner‐
ship,timestamps) and security contexts, if possible additional
attributes: links, all

Yet, the context is not preserved, and a new security type context applied, specifically, 'http_sys_content_t', which it should be if Apache wants to serve that index.html file while SELinux is in enforcing mode. However, if you use the -a switch to perform the copy, the original context is held in place. According to the man page, -a is the same as -dpR. Again, per the man page:

-a, --archive
same as -dpR

[snip]

-d same as --no-dereference --preserve=link

[snip]

-P, --no-dereference
never follow symbolic links

-p same as --preserve=mode,ownership,timestamps

[snip]

-R, -r, --recursive
copy directories recursively

Certainly -R is not preserving the context, and as we saw previously, -p isn't either. So, this concludes that -d is preserving the context? Yet, -d only deals with symbolic links, not security contexts. So, the question is, what am I missing with 'cp -p' vs 'cp -a' to preserve security contexts?

{ 2 } Comments

  1. Byron Clark using Firefox 2.0.0.11 on Ubuntu | January 24, 2008 at 11:04 am | Permalink

    Looking at the cp code in ubuntu (patched coreutils 5.97) it appears that '-a' is really the same as '-dPR --preserve=links,ownership,mode,timestamps,context'

    I would imagine the RHEL source is similar. '--preserve=all' should give you the results you want.

  2. Byron Clark using Firefox 2.0.0.11 on Ubuntu | January 24, 2008 at 11:10 am | Permalink

    It appears that '-a' and -dpPR' are equivalent in coreutils 6.10.

Post a Comment

Your email is never published nor shared.

Switch to our mobile site