5.9. Maintaining SELinux Labels
These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories. Also, it explains how to preserve contexts when copying and archiving.
5.9.1. Copying Files and Directories
When a file or directory is copied, a new file or directory is created if it does not exist. That new file or directory's context is based on default-labeling rules, not the original file or directory's context (unless options were used to preserve the original context). For example, files created in user home directories are labeled with the
user_home_t
type:
~]$touch file1
~]$ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
If such a file is copied to another directory, such as
/etc/
, the new file is created in accordance to default-labeling rules for the /etc/
directory. Copying a file (without additional options) may not preserve the original context:
~]$ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 ~]#cp file1 /etc/
~]$ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
When
file1
is copied to /etc/
, if /etc/file1
does not exist, /etc/file1
is created as a new file. As shown in the example above, /etc/file1
is labeled with the etc_t
type, in accordance to default-labeling rules.
When a file is copied over an existing file, the existing file's context is preserved, unless the user specified
cp
options to preserve the context of the original file, such as --preserve=context
. SELinux policy may prevent contexts from being preserved during copies.
Copying Without Preserving SELinux Contexts
When copying a file with the
cp
command, if no options are given, the type is inherited from the targeted, parent directory:
~]$touch file1
~]$ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 ~]$ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ ~]#cp file1 /var/www/html/
~]$ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
In this example,
file1
is created in a user's home directory, and is labeled with the user_home_t
type. The /var/www/html/
directory is labeled with the httpd_sys_content_t
type, as shown with the ls -dZ /var/www/html/
command. When file1
is copied to /var/www/html/
, it inherits the httpd_sys_content_t
type, as shown with the ls -Z /var/www/html/file1
command.
Preserving SELinux Contexts When Copying
Use the
cp --preserve=context
command to preserve contexts when copying:
~]$touch file1
~]$ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 ~]$ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ ~]#cp --preserve=context file1 /var/www/html/
~]$ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
In this example,
file1
is created in a user's home directory, and is labeled with the user_home_t
type. The /var/www/html/
directory is labeled with the httpd_sys_content_t
type, as shown with the ls -dZ /var/www/html/
command. Using the --preserve=context
option preserves SELinux contexts during copy operations. As shown with the ls -Z /var/www/html/file1
command, the file1
user_home_t
type was preserved when the file was copied to /var/www/html/
.
Copying and Changing the Context
Use the
cp -Z
command to change the destination copy's context. The following example was performed in the user's home directory:
~]$touch file1
~]$cp -Z system_u:object_r:samba_share_t:s0 file1 file2
~]$ls -Z file1 file2
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 -rw-rw-r-- user1 group1 system_u:object_r:samba_share_t:s0 file2 ~]$rm file1 file2
In this example, the context is defined with the
-Z
option. Without the -Z
option, file2
would be labeled with the unconfined_u:object_r:user_home_t
context.
Copying a File Over an Existing File
When a file is copied over an existing file, the existing file's context is preserved (unless an option is used to preserve contexts). For example:
~]#touch /etc/file1
~]#ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1 ~]#touch /tmp/file2
~]#ls -Z /tmp/file2
-rw-r--r-- root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2 ~]#cp /tmp/file2 /etc/file1
~]#ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
In this example, two files are created:
/etc/file1
, labeled with the etc_t
type, and /tmp/file2
, labeled with the user_tmp_t
type. The cp /tmp/file2 /etc/file1
command overwrites file1
with file2
. After copying, the ls -Z /etc/file1
command shows file1
labeled with the etc_t
type, not the user_tmp_t
type from /tmp/file2
that replaced /etc/file1
.
Important
Copy files and directories, rather than moving them. This helps ensure they are labeled with the correct SELinux contexts. Incorrect SELinux contexts can prevent processes from accessing such files and directories.