mv -Z applies the default selinux context. Does it differ from all other invocations of mv, and work on all the files in a moved directory individually?
Asked
Active
Viewed 1,024 times
1
sourcejedi
- 50,249
1 Answers
1
Yes.
$ mkdir a
$ touch a/b
$ ls -Z -d a a/b
unconfined_u:object_r:user_home_t:s0 a
unconfined_u:object_r:user_home_t:s0 a/b
$ strace -f mv -Z a ~/.local/share/Trash/files
...
open("/home/alan/.local/share/Trash/files/a/b", O_RDONLY|O_NOFOLLOW) = 3
...
fgetxattr(3, "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
fsetxattr(3, "security.selinux", "unconfined_u:object_r:data_home_t:s0", 37, 0) = 0
...
$ cd ~/.local/share/Trash/files
$ ls -Zd a a/b
unconfined_u:object_r:data_home_t:s0 a
unconfined_u:object_r:data_home_t:s0 a/b
This also introduced the possibility that moving a directory within a single filesystem will fail part-way through. I.e. due to lack of disk space when changing the labels. The impact of this is mitigated as the relabel happens as a second step. The initial move operation is still by a single atomic rename. This means the labels would be inconsistent, but the files will be consistent in every other way. It should be simple to fix the labels once space becomes available.
sourcejedi
- 50,249