10.4.9. Maintaining SELinux Labels

⁠10.4.9. Maintaining SELinux Labels

These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories. Also, it explains how to preserve contexts when copying and archiving.

⁠10.4.9.1. Copying Files and Directories

When a file or directory is copied, a new file or directory is created if it does not exist. That new file or directory's context is based on default-labeling rules, not the original file or directory's context (unless options were used to preserve the original context). For example, files created in user home directories are labeled with the user_home_t type:

~]$ touch file1

~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

If such a file is copied to another directory, such as /etc/, the new file is created in accordance to default-labeling rules for /etc/. Copying a file (without additional options) may not preserve the original context:

~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

~]# cp file1 /etc/

~]$ ls -Z /etc/file1 
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

When file1 is copied to /etc/, if /etc/file1 does not exist, /etc/file1 is created as a new file. As shown in the example above, /etc/file1 is labeled with the etc_t type, in accordance to default-labeling rules.

When a file is copied over an existing file, the existing file's context is preserved, unless the user specified cp options to preserve the context of the original file, such as --preserve=context. SELinux policy may prevent contexts from being preserved during copies.

⁠

Procedure 10.16. Copying Without Preserving SELinux Contexts

This procedure shows that when copying a file with the cp command, if no options are given, the type is inherited from the targeted, parent directory.

Create a file in a user's home directory. The file is labeled with the user_home_t type:

~]$ touch file1

~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

The /var/www/html/ directory is labeled with the httpd_sys_content_t type, as shown with the following command:

~]$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

When file1 is copied to /var/www/html/, it inherits the httpd_sys_content_t type:

~]# cp file1 /var/www/html/

~]$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1

⁠

Procedure 10.17. Preserving SELinux Contexts When Copying

This procedure shows how to use the --preserve=context option to preserve contexts when copying.

Create a file in a user's home directory. The file is labeled with the user_home_t type:

~]$ touch file1

~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

The /var/www/html/ directory is labeled with the httpd_sys_content_t type, as shown with the following command:

~]$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Using the --preserve=context option preserves SELinux contexts during copy operations. As shown below, the user_home_t type of file1 was preserved when the file was copied to /var/www/html/:
```
~]# cp --preserve=context file1 /var/www/html/
```
```
~]$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
```

⁠

Procedure 10.18. Copying and Changing the Context

This procedure show how to use the --context option to change the destination copy's context. The following example is performed in the user's home directory:

Create a file in a user's home directory. The file is labeled with the user_home_t type:

~]$ touch file1

~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

Use the --context option to define the SELinux context:

~]$ cp --context=system_u:object_r:samba_share_t:s0 file1 file2

Without --context, file2 would be labeled with the unconfined_u:object_r:user_home_t context:

~]$ ls -Z file1 file2
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r--  user1 group1 system_u:object_r:samba_share_t:s0 file2

⁠

Procedure 10.19. Copying a File Over an Existing File

This procedure shows that when a file is copied over an existing file, the existing file's context is preserved (unless an option is used to preserve contexts).

As root, create a new file, file1 in the /etc/ directory. As shown below, the file is labeled with the etc_t type:

~]# touch /etc/file1

~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

Create another file, file2, in the /tmp/ directory. As shown below, the file is labeled with the user_tmp_t type:

~]$ touch /tmp/file2

~$ ls -Z /tmp/file2
-rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2

Overwrite file1 with file2:
```
~]# cp /tmp/file2 /etc/file1
```
After copying, the following command shows file1 labeled with the etc_t type, not the user_tmp_t type from /tmp/file2 that replaced /etc/file1:
```
~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
```

Important

Copy files and directories, rather than moving them. This helps ensure they are labeled with the correct SELinux contexts. Incorrect SELinux contexts can prevent processes from accessing such files and directories.