Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > David P. Quigley wrote: ... >> I think the main question here is should archive try to retain the >> SELinux context. From what I've heard from people here, initially the >> idea was to try to preserve the context and if that failed fall back to >> labeling based on the parent. That doesn't seem to be what cp is trying >> to do. If we removed the retain the context part from the archive switch >> of cp you would get labeling based on the parent but then you would be >> required to explicitly specify preserve the context when you wanted to >> archive that as well. >> >> It doesn't seem like anyone is actually depending on the associate >> permission so it might be worth someone looking into removing it if no >> one is really using it. It has its applications but I don't believe Red >> Hat is using it at this time. >> >> Dave > > That is fine with me but I would like to get the opinion of upstream > coreutils. > > Jim what do you think? Hi Dan, Since I merged SELinux support into upstream coreutils, (for coreutils-6.9.91, released 2007-12-15; latest is coreutils-7.0, http://article.gmane.org/gmane.comp.gnu.core-utils.announce/47 ) its cp -a has *not* attempted to preserve SELinux context. There was some debate about changing that, since cp -a has always been equivalent to "cp -dpR", and some were reluctant to change that. To get SELinux-context-preserving behavior, you currently have two options: use --preserve=context to require that cp preserve each file's context. Failure to do so makes cp end up exiting nonzero. use --preserve=all to make cp _attempt_ to preserve context. Failure gets a diagnostic, but does not evoke nonzero exit status. Just yesterday, Ondřej Vašík proposed a patch to change cp -a from being equivalent to "cp -dpR" to being equivalent to "cp -dR --preserve=all", which would be in line with this year-old description from NEWS: * "cp -a" works with SELinux: Now, cp -a attempts to preserve context, but failure to do so does not change cp's exit status. However "cp --preserve=context" is similar, but failure *does* cause cp to exit with nonzero status. I'll have to run some tests before deciding on this, to see if such a change would result in many new diagnostics about failure to preserve context. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
