[Bug 203433] Re: "cp" command doesn't preserve selinux context
Thank you, hoban/tgelter. Closing, then, as Fix Released. ** Changed in: coreutils (Ubuntu) Status: Triaged => Fix Released -- "cp" command doesn't preserve selinux context https://bugs.launchpad.net/bugs/203433 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 203433] Re: "cp" command doesn't preserve selinux context
Hey. I had forgotten all about this bug. :) Yep, it's fixed now, thanks! -- "cp" command doesn't preserve selinux context https://bugs.launchpad.net/bugs/203433 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 203433] Re: "cp" command doesn't preserve selinux context
Hello tgelter, Could you please check if this is resolved on Karmic? -- "cp" command doesn't preserve selinux context https://bugs.launchpad.net/bugs/203433 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 203433] Re: "cp" command doesn't preserve selinux context
thank you for opening this bug and helping make Ubuntu better. A patch has just been proposed upstream and, if accepted, it should be added to coreutils-7.0 (and make it to Intrepid+1). The just-proposed patch was presented with this text: -- Subject: [PATCH]: cp '-a' should try to preserve SELinux context, SELinux context cp documentation adjustments Hello, as documented in NEWS and as written in test cp-a-selinux, cp -a should try to preserve selinux context, if possible. The activation boolean preserve_security_context was missing in this branch. Also cp -a is not really equivalent to -dpR, but to -dR --preserve-all , as it tries(or at least it should try) SELinux context. Following changes were done to make documentation more precise and preserve=context and preserve=all behaviour after failure SELinux context preserving is documented by that patch as well. Greetings, Ondřej Vašík -- ** Changed in: coreutils (Ubuntu) Importance: Undecided => Low Status: New => Triaged -- "cp" command doesn't preserve selinux context https://bugs.launchpad.net/bugs/203433 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 203433] Re: "cp" command doesn't preserve selinux context
I hadn't actually tested the -p or the --preserve=context. Here's why (this done on RHEL 5.1): [EMAIL PROTECTED] tmp]# ls -Z /etc/shadow -r root root system_u:object_r:shadow_t /etc/shadow [EMAIL PROTECTED] tmp]# cp -p /etc/shadow . [EMAIL PROTECTED] tmp]# ls -Z shadow -r root root user_u:object_r:tmp_tshadow [EMAIL PROTECTED] tmp]# cp -a /etc/shadow . cp: overwrite `./shadow'? y [EMAIL PROTECTED] tmp]# ls -Z shadow -r root root system_u:object_r:shadow_t shadow -- "cp" command doesn't preserve selinux context https://bugs.launchpad.net/bugs/203433 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 203433] Re: "cp" command doesn't preserve selinux context
[EMAIL PROTECTED]:/tmp# ls -Z /etc/shadow system_u:object_r:shadow_t /etc/shadow [EMAIL PROTECTED]:/tmp# cp --preserve=all /etc/shadow . [EMAIL PROTECTED]:/tmp# ls -Z shadow system_u:object_r:shadow_t shadow According to the man page for cp -a is the same as -dpR which turns out to mean: --no-dereference --preserve=links --preserve=mode,ownership,timestamps --recursive Which doesn't include --preserve=context It is my feeling that it should be included in the -p option. The reasoning being that the context is analogous to mode and ownership which -p normally preserves. -- "cp" command doesn't preserve selinux context https://bugs.launchpad.net/bugs/203433 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 203433] Re: "cp" command doesn't preserve selinux context
** Description changed: Binary package hint: coreutils Attempting to demonstrate the power of selinux I tried the following demo (works in RHEL): [EMAIL PROTECTED]:/var/www# ls -lZ /etc/shadow -rw-r-+ 1 root shadow system_u:object_r:shadow_t 1193 2008-03-17 17:55 /etc/shadow [EMAIL PROTECTED]:/var/www# cp -a /etc/shadow . [EMAIL PROTECTED]:/var/www# ls -lZ shadow -rw-r-+ 1 root shadow unconfined_u:object_r:var_t 1193 2008-03-17 17:55 shadow As you can observe, while the cp -a (cp -p obviously is no different) preserves ownership and permissions, the selinux context is not preserved. This has been flagged as a potential security risk because, as you can see, selinux becomes quite useless if contexts can't be preserved while copying things around. Note: the "mv" command preserves the selinux context as expected. + More info: + [EMAIL PROTECTED]:/var/www# cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=8.04 DISTRIB_CODENAME=hardy DISTRIB_DESCRIPTION="Ubuntu hardy (development branch)" [EMAIL PROTECTED]:/var/www# apt-cache policy coreutils coreutils: Installed: 6.10-3ubuntu1 Candidate: 6.10-3ubuntu1 Version table: *** 6.10-3ubuntu1 0 500 http://us.archive.ubuntu.com hardy/main Packages 100 /var/lib/dpkg/status -- "cp" command doesn't preserve selinux context https://bugs.launchpad.net/bugs/203433 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs