Bug 167613 - warning: security context not preserved
warning: security context not preserved
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: coreutils (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-06 06:08 EDT by Ralf Corsepius
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 5.2.1-49
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-07 07:19:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace mv /users/columbo/xyz /tmp/xyz 2> pr167613.strace (7.45 KB, text/plain)
2005-09-06 07:42 EDT, Ralf Corsepius
no flags Details

  None (edit)
Description Ralf Corsepius 2005-09-06 06:08:08 EDT
Description of problem:
mv issues a "warning: security context not preserved ... Operation not supported"
warning, when moving files from an nfs mounted directory to a local file system.

Version-Release number of selected component (if applicable):
coreutils-5.2.1-48.1
kernel-2.6.12-1.1447_FC4
selinux-policy-targeted-1.25.4-10

How reproducible:
Always.

Steps to Reproduce:
Try to move a file from an nfs-mounted directory to a local directory.
 
Actual results:
mv /users/columbo/xyz .

mv: warning: security context not preserved `/users/columbo/xyz': Operation not
supported

Expected results:
Warning free function.

Additional info:
Both machines involved are running FC4 with all current updates and
selinux-policy-targeted enabled.
Comment 1 Tim Waugh 2005-09-06 06:33:49 EDT
Please show the output of 'strace mv /users/columbo/xyz .'.
Comment 2 Ralf Corsepius 2005-09-06 07:42:01 EDT
Created attachment 118494 [details]
strace mv /users/columbo/xyz /tmp/xyz 2> pr167613.strace

In this case, /users/columbo is nfs-mounted on a remote machine, /tmp/xyz is
local.

On the remote machine:
# ls -lZ xyz
-rw-r--r--  columbo  users    user_u:object_r:user_home_t      xyz

On the local machine:
# ls -lZ /users/columbo/xyz
-rw-r--r--  columbo  users				      
/users/columbo/xyz

After the move, on the local machine:
# ls -lZ /tmp/xyz
-rw-r--r--  columbo  users    user_u:object_r:tmp_t	       /tmp/xyz
Comment 3 Tim Waugh 2005-09-06 07:57:30 EDT
The warning is correct.  NFS doesn't support that.
Comment 4 Ralf Corsepius 2005-09-06 08:06:40 EDT
(In reply to comment #3)
> The warning is correct.  NFS doesn't support that.
Well, advertising SELinux as "server enhancement" and then not supporting NFS
mounts disqualifies SELinux from being "ready for production server use", IMO.
Comment 5 Tim Waugh 2005-09-06 08:43:29 EDT
The warning is just saying that the file context on the NFS server (if there is
one) cannot be copied onto the local file.

This is not an SELinux limitation but an NFS limitation, as I understand it.
Comment 6 Ralf Corsepius 2005-09-06 12:03:03 EDT
(In reply to comment #5)
> This is not an SELinux limitation but an NFS limitation, as I understand it.
It actually doesn't matter who's to blame.

The question is: Has this warning to be taken seriously and does this warning
indicate any real functional problems?

If not, this warning must be removed, because it interferes with user expectations.

If yes, this means SELinux is not ready for production use, because it's design
does not harmonize with NFS. As NFS is one of the most important feature of *nix
systems, I feel justified in naming SELinux "Broken design".
Comment 7 Tim Waugh 2005-09-06 12:04:52 EDT
Dan, what do you think?  Should we warn in this instance?
Comment 8 Daniel Walsh 2005-09-06 17:15:00 EDT
In rawhide we have this comment :^)  So I guess we can say it is an
SELinux/coreutils bug.

revision 1.14
date: 2005/05/31 20:52:29;  author: dwalsh;  state: Exp;  lines: +31 -33
* Tue May 31 2005 Dan Walsh <dwalsh@redhat.com> 5.2.1-49
- Eliminate bogus "can not preserve context" message when moving files.
----------------------------

Note You need to log in before you can comment on or make changes to this bug.