In file system operations, security context must now be considered in terms of the label of the file, the process accessing it, and the directories where the operation is happening. Because of this, moving and copying files with
mv
and cp
may have unexpected results.Moving and Copying Files in Centos Linux |
Copying Files: SELinux Options for cp
Unless you specify otherwise,
cp
follows the default behavior of creating a new file based on the domain of the creating process and the type of the target directory. Unless there is a specific rule to set the label, the file inherits the type from the target directory.
Use the
-Z user:role:type
option to specify the required label for the new file.
The
-p
(or --preserve=mode,ownership,timestamps
) option preserves the specified attributes and, if possible, additional attributes such as links.touch bar fools -Z bar foo-rw-rw-r-- auser auser user_u:object_r:user_home_t bar-rw-rw-r-- auser auser user_u:object_r:user_home_t foo
If you use the
cp
command without any additional command-line arguments, a copy of the file is created in the new location using the default type of the creating process and the target directory. In this case, because there is no specific rule that applies to cp
and /tmp
, the new file has the type of the parent directory:cp bar /tmpls -Z /tmp/bar-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/bar
The type
tmp_t
is the default type for temporary files.
Use the
-Z
option to specify the label for the new file:cp -Z user_u:object_r:user_home_t foo /tmpls -Z /tmp/foo-rw-rw-r-- auser auser user_u:object_r:user_home_t /tmp/foo
Moving Files: SELinux Options for mv
Moving files with
mv
retains the original type associated with the file. Care should be taken using this command as it can cause problems. For example, if you move files with the type user_home_t
into ~/public_html
, then the httpd
daemon is not able to serve those files until you relabel them. Refer to Section 45.1.3, “Relabeling a File or Directory” for more information about file labeling.Command | Behavior |
---|---|
mv | The file retains its original label. This may cause problems, confusion, or minor insecurity. For example, the tmpwatch program running in the sbin_t domain might not be allowed to delete an aged file in the /tmp directory because of the file's type. |
cp | Makes a copy of the file using the default behavior based on the domain of the creating process (cp ) and the type of the target directory. |
cp -p | Makes a copy of the file, preserving the specified attributes and security contexts, if possible. The default attributes are mode, ownership, and timestamps. Additional attributes are links and all. |
cp -Z | Makes a copy of the file with the specified labels. The -Z option is synonymous with --context . |