Bug 473384 - Instructions to 'cp -a' generate an SELinux error
Instructions to 'cp -a' generate an SELinux error
Status: CLOSED NEXTRELEASE
Product: Fedora Documentation
Classification: Fedora
Component: install-guide (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Paul W. Frields
Paul W. Frields
http://docs.fedoraproject.org/install...
:
: 478536 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-28 02:56 EST by Karsten Wade
Modified: 2009-03-27 09:30 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-27 09:30:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Karsten Wade 2008-11-28 02:56:51 EST
Chapter 6.2 Installation from a Hard Drive includes this instruction to copy the images/ directory to a local folder from the image:

	mount -t iso9660 /path/to/Fedora10.iso /mnt/point -o loop
	cp -a /mnt/point/images /path/images/
        umount /mnt/point

SELinux throws this error, recommending 'cp -P' instead of 'cp -a'.
When using 'cp -P', the directory recursion doesn't work; only 'cp
-Pr' seems to work.


Summary:

SELinux is preventing cp from creating a file with a context of iso9660_t on a
filesystem.

Detailed Description:

SELinux is preventing cp from creating a file with a context of iso9660_t on a
filesystem. Usually this happens when you ask the cp command to maintain the
context of a file when copying between file systems, "cp -a" for example. Not
all file contexts should be maintained between the file systems. For example, a
read-only file type like iso9660_t should not be placed on a r/w system. "cp -P"
might be a better solution, as this will adopt the default file context for the
destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context                system_u:object_r:iso9660_t
Target Context                system_u:object_r:fs_t
Target Objects                images [ filesystem ]
Source                        cp
Source Path                   /bin/cp
Port                          <Unknown>
Host                          calliope.phig.org
Source RPM Packages           coreutils-6.9-19.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-123.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   filesystem_associate
Host Name                     calliope.phig.org
Platform                      Linux calliope.phig.org 2.6.23.9-85.fc8 #1 SMP Fri
                              Dec 7 15:49:59 EST 2007 i686 i686
Alert Count                   1
First Seen                    Thu 27 Nov 2008 11:30:01 PM PST
Last Seen                     Thu 27 Nov 2008 11:30:01 PM PST
Local ID                      08d5a096-af9f-46d5-818d-6b1a271637a3
Line Numbers                  

Raw Audit Messages            

host=calliope.phig.org type=AVC msg=audit(1227857401.981:2933): avc:  denied  { associate } for  pid=1520 comm="cp" name="images" scontext=system_u:object_r:iso9660_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

host=calliope.phig.org type=SYSCALL msg=audit(1227857401.981:2933): arch=40000003 syscall=39 success=no exit=-13 a0=bfcd5a5d a1=1c0 a2=8058394 a3=38c0 items=0 ppid=15176 pid=1520 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 David Nalley 2009-03-27 09:21:08 EDT
*** Bug 478536 has been marked as a duplicate of this bug. ***
Comment 2 David Nalley 2009-03-27 09:30:04 EDT
Updated - changed to cp -pr from cp -a 
cp -P doesn't seem to be what was intended - from the cp man page: 
       -P, --no-dereference
              never follow symbolic links in SOURCE


while -p:
       -p     same as --preserve=mode,ownership,timestamps




commit 7eb01bf617a4d9a901b0c857544a5e2d46d44490
Author: David Nalley <david@gnsa.us>
Date:   Fri Mar 27 09:24:11 2009 -0400

    fixing cp command arguments (from -a to -pr) to prevent selinux error for hard disk installation. reported in bug 478536 and 473384

Note You need to log in before you can comment on or make changes to this bug.