Product SiteDocumentation Site

4.10. Maintaining SELinux Labels

These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories. Also, it explains how to preserve contexts when copying and archiving.

4.10.1. Copying Files and Directories

When a file or directory is copied, a new file or directory is created if it does not exist. That new file or directory's context is based on default-labeling rules, not the original file or directory's context unless options were used to preserve the original context. For example, files created in user home directories are labeled with the user_home_t type:
~]$ touch file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
If such a file is copied to another directory, such as /etc/, the new file is created in accordance to default-labeling rules for /etc/. Copying a file without additional options may not preserve the original context:
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
~]# cp file1 /etc/
~]$ ls -Z /etc/file1 
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
When file1 is copied to /etc/, if /etc/file1 does not exist, /etc/file1 is created as a new file. As shown in the example above, /etc/file1 is labeled with the etc_t type, in accordance to default-labeling rules.
When a file is copied over an existing file, the existing file's context is preserved, unless the user specified cp options to preserve the context of the original file, such as --preserve=context. SELinux policy may prevent contexts from being preserved during copies.
Procedure 4.11. Copying Without Preserving SELinux Contexts
This procedure shows that when copying a file with the cp command, if no options are given, the type is inherited from the targeted, parent directory.
  1. Create a file in a user's home directory. The file is labeled with the user_home_t type:
    ~]$ touch file1
    ~]$ ls -Z file1
    -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
    
  2. The /var/www/html/ directory is labeled with the httpd_sys_content_t type, as shown with the following command:
    ~]$ ls -dZ /var/www/html/
    drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
    
  3. When file1 is copied to /var/www/html/, it inherits the httpd_sys_content_t type:
    ~]# cp file1 /var/www/html/
    ~]$ ls -Z /var/www/html/file1
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
    
Procedure 4.12. Preserving SELinux Contexts When Copying
This procedure shows how to use the --preserve=context option to preserve contexts when copying.
  1. Create a file in a user's home directory. The file is labeled with the user_home_t type:
    ~]$ touch file1
    ~]$ ls -Z file1
    -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
    
  2. The /var/www/html/ directory is labeled with the httpd_sys_content_t type, as shown with the following command:
    ~]$ ls -dZ /var/www/html/
    drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
    
  3. Using the --preserve=context option preserves SELinux contexts during copy operations. As shown below, the user_home_t type of file1 was preserved when the file was copied to /var/www/html/:
    ~]# cp --preserve=context file1 /var/www/html/
    ~]$ ls -Z /var/www/html/file1
    -rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
    
Procedure 4.13. Copying and Changing the Context
This procedure show how to use the --context option to change the destination copy's context. The following example is performed in the user's home directory:
  1. Create a file in a user's home directory. The file is labeled with the user_home_t type:
    ~]$ touch file1
    ~]$ ls -Z file1
    -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
    
  2. Use the --context option to define the SELinux context:
    ~]$ cp --context=system_u:object_r:samba_share_t:s0 file1 file2
  3. Without --context, file2 would be labeled with the unconfined_u:object_r:user_home_t context:
    ~]$ ls -Z file1 file2
    -rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
    -rw-rw-r--  user1 group1 system_u:object_r:samba_share_t:s0 file2
    
Procedure 4.14. Copying a File Over an Existing File
This procedure shows that when a file is copied over an existing file, the existing file's context is preserved unless an option is used to preserve contexts.
  1. As root, create a new file, file1 in the /etc/ directory. As shown below, the file is labeled with the etc_t type:
    ~]# touch /etc/file1
    ~]$ ls -Z /etc/file1
    -rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
    
  2. Create another file, file2, in the /tmp/ directory. As shown below, the file is labeled with the user_tmp_t type:
    ~]$ touch /tmp/file2
    ~$ ls -Z /tmp/file2
    -rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
    
  3. Overwrite file1 with file2:
    ~]# cp /tmp/file2 /etc/file1
  4. After copying, the following command shows file1 labeled with the etc_t type, not the user_tmp_t type from /tmp/file2 that replaced /etc/file1:
    ~]$ ls -Z /etc/file1
    -rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
    

Important

Copy files and directories, rather than moving them. This helps ensure they are labeled with the correct SELinux contexts. Incorrect SELinux contexts can prevent processes from accessing such files and directories.