Bug 440056

Summary: cp preserve security context documentation inconsistencies
Product: [Fedora] Fedora Reporter: Petr Šplíchal <psplicha>
Component: coreutilsAssignee: Ondrej Vasik <ovasik>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: ohudlick, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: coreutils-6.9-18.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-19 07:51:18 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Petr Šplíchal 2008-04-01 11:17:28 EDT
Description of problem:

There are several inconsistencies between documentation and behavior of cp
command regarding security context preservation.

Version-Release number of selected component (if applicable):

cp-ing /etc/shadow with respective options give these results:

system_u:object_r:unconfined_tmp_t:s0 /tmp/shadow-dpPR
system_u:object_r:unconfined_tmp_t:s0 /tmp/shadow-p
system_u:object_r:unconfined_tmp_t:s0 /tmp/shadow--preserve 
system_u:object_r:shadow_t:s0    /tmp/shadow--preserve=all
system_u:object_r:shadow_t:s0    /tmp/shadow--preserve=context
system_u:object_r:shadow_t:s0    /tmp/shadow-a

man page and --help says option -a is the same as -dpPR
but it preserves security context too (should there be -cdpPR?)

man page --preserve option description says:

   preserve  the  specified  attributes  (default:  mode,ownership,timestamps)
   AND security contexts, if possible additional attributes: links, all

which sounds like security contexts are preserved too (but they are not)
moreover "if possible attributes" condition is somewhat confusing... and context
attribute is not mentioned at all --- i suggest using something like this:

   preserve  the  specified  attributes and security contexts, if possible
   (default: mode,ownership,timestamps)
   additional attributes: context, links, all
option -c is missing in the man page completely...
Comment 1 Ondrej Vasik 2008-04-01 15:13:05 EDT
Thanks for report Petr,
could be easily duplicate of #197064 - as there are more things to complete in
SELinux documentation of coreutils. But it is more specific, so I will keep it
opened until it will get fixed(hopefully in next rawhide coreutils build). 
Comment 2 Ondrej Vasik 2008-04-07 16:37:44 EDT
Most of things fixed in rawhide coreutils-6.10-18.fc9, unfortunately such
changes causes troubles with translations. Therefore the part with --preserve
was not used yet, will propose some changes to upstream later - so it could be
fixed by documentation project afterwards.
Comment 3 Ondrej Vasik 2008-04-10 02:04:10 EDT
And additionally, there is a bit difference between --preserve=context , -c,
--preserve=all - those are trying to store security context - and when it is not
possible, it will cause failure(you could check this easily by check on NFS
mount which can't store contexts. Option -a will not cause the failure if
storing context is not possible. Anyway, this is undocumented (and intentional)
behaviour, so I think the addition of -c to -a set documentation is ok. In the
version for upstream it would be better to mention it. 
Comment 4 Fedora Update System 2008-08-12 14:23:30 EDT
coreutils-6.9-18.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Ondrej Vasik 2008-08-19 07:51:18 EDT
Closing CURRENTRELEASE ... it looks like automatic closing bot is lazy to do that. Fixed in coreutils-6.9-18.fc8.