Bug 473384
| Summary: | Instructions to 'cp -a' generate an SELinux error | ||
|---|---|---|---|
| Product: | [Retired] Fedora Documentation | Reporter: | Karsten Wade <kwade> |
| Component: | install-guide | Assignee: | Paul W. Frields <stickster> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Paul W. Frields <stickster> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | devel | CC: | david, galder.zamarreno, kwade |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://docs.fedoraproject.org/install-guide/f10/en_US/sn-installing-from-harddrive.html | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-03-27 13:30:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 478536 has been marked as a duplicate of this bug. *** Updated - changed to cp -pr from cp -a
cp -P doesn't seem to be what was intended - from the cp man page:
-P, --no-dereference
never follow symbolic links in SOURCE
while -p:
-p same as --preserve=mode,ownership,timestamps
commit 7eb01bf617a4d9a901b0c857544a5e2d46d44490
Author: David Nalley <david>
Date: Fri Mar 27 09:24:11 2009 -0400
fixing cp command arguments (from -a to -pr) to prevent selinux error for hard disk installation. reported in bug 478536 and 473384
|
Chapter 6.2 Installation from a Hard Drive includes this instruction to copy the images/ directory to a local folder from the image: mount -t iso9660 /path/to/Fedora10.iso /mnt/point -o loop cp -a /mnt/point/images /path/images/ umount /mnt/point SELinux throws this error, recommending 'cp -P' instead of 'cp -a'. When using 'cp -P', the directory recursion doesn't work; only 'cp -Pr' seems to work. Summary: SELinux is preventing cp from creating a file with a context of iso9660_t on a filesystem. Detailed Description: SELinux is preventing cp from creating a file with a context of iso9660_t on a filesystem. Usually this happens when you ask the cp command to maintain the context of a file when copying between file systems, "cp -a" for example. Not all file contexts should be maintained between the file systems. For example, a read-only file type like iso9660_t should not be placed on a r/w system. "cp -P" might be a better solution, as this will adopt the default file context for the destination. Allowing Access: Use a command like "cp -P" to preserve all permissions except SELinux context. Additional Information: Source Context system_u:object_r:iso9660_t Target Context system_u:object_r:fs_t Target Objects images [ filesystem ] Source cp Source Path /bin/cp Port <Unknown> Host calliope.phig.org Source RPM Packages coreutils-6.9-19.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-123.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name filesystem_associate Host Name calliope.phig.org Platform Linux calliope.phig.org 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686 Alert Count 1 First Seen Thu 27 Nov 2008 11:30:01 PM PST Last Seen Thu 27 Nov 2008 11:30:01 PM PST Local ID 08d5a096-af9f-46d5-818d-6b1a271637a3 Line Numbers Raw Audit Messages host=calliope.phig.org type=AVC msg=audit(1227857401.981:2933): avc: denied { associate } for pid=1520 comm="cp" name="images" scontext=system_u:object_r:iso9660_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem host=calliope.phig.org type=SYSCALL msg=audit(1227857401.981:2933): arch=40000003 syscall=39 success=no exit=-13 a0=bfcd5a5d a1=1c0 a2=8058394 a3=38c0 items=0 ppid=15176 pid=1520 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)