Moving and Copying Files in Centos Linux

In file system operations, security context must now be considered in terms of the label of the file, the process accessing it, and the directories where the operation is happening. Because of this, moving and copying files with mv and cp may have unexpected results.

Moving and Copying Files in Centos Linux

Copying Files: SELinux Options for cp

Unless you specify otherwise, cp follows the default behavior of creating a new file based on the domain of the creating process and the type of the target directory. Unless there is a specific rule to set the label, the file inherits the type from the target directory.

Use the -Z user:role:type option to specify the required label for the new file.

The -p (or --preserve=mode,ownership,timestamps) option preserves the specified attributes and, if possible, additional attributes such as links.

touch bar foo
ls -Z bar foo

-rw-rw-r--  auser   auser   user_u:object_r:user_home_t   bar

-rw-rw-r--  auser   auser   user_u:object_r:user_home_t   foo

If you use the cp command without any additional command-line arguments, a copy of the file is created in the new location using the default type of the creating process and the target directory. In this case, because there is no specific rule that applies to cp and /tmp, the new file has the type of the parent directory:

cp bar /tmp

ls -Z /tmp/bar

-rw-rw-r--  auser   auser   user_u:object_r:tmp_t   /tmp/bar

The type tmp_t is the default type for temporary files.

Use the -Z option to specify the label for the new file:

cp -Z user_u:object_r:user_home_t foo /tmp
ls -Z /tmp/foo

-rw-rw-r--  auser   auser   user_u:object_r:user_home_t   /tmp/foo

Moving Files: SELinux Options for mv

Moving files with mv retains the original type associated with the file. Care should be taken using this command as it can cause problems. For example, if you move files with the type user_home_t into ~/public_html, then the httpd daemon is not able to serve those files until you relabel them. Refer to Section 45.1.3, “Relabeling a File or Directory” for more information about file labeling.

Command	Behavior
mv	The file retains its original label. This may cause problems, confusion, or minor insecurity. For example, the tmpwatch program running in the sbin_t domain might not be allowed to delete an aged file in the /tmp directory because of the file's type.
cp	Makes a copy of the file using the default behavior based on the domain of the creating process (cp) and the type of the target directory.
cp -p	Makes a copy of the file, preserving the specified attributes and security contexts, if possible. The default attributes are mode, ownership, and timestamps. Additional attributes are links and all.
cp -Z <user:role:type>	Makes a copy of the file with the specified labels. The -Z option is synonymous with --context.

Table Behavior of mv and cp Commands