Wednesday, February 18, 2009

cp -a command bug or selinux bug??

I'm buidling an NFS installation server and could not get the files from the mounted iso image to copy into the /install directory I created until I spoke to the fine folks in the #rhel channel on freenode. The conclusion was a bug from 2 or 3 years ago that was fixed in Fedora but not RHEL. Why is something so basic and necessary still broken on RHEL? Is it possible this is not a bug and just an outdated man page or incorrect documentation from Redhat?

Let me tell you exactly what I did to cause this problem to happen.

1) [root@habanero /]# mkdir /install
drwxr-xr-x 2 root root 4096 Feb 18 11:06 install

2) mount -ro loop /home/xxxx/isos/rhel-server-5.3-i386-dvd.iso /mnt

3) cp -ar /mnt/. /install
UPDATE: cp -a /mnt/. /install (same errors as below)

4) weeeee, look at the errors - truncated of course :)
cp: cannot create regular file `/install/./EULA': Permission denied
cp: cannot create regular file `/install/./GPL': Permission denied
cp: cannot create regular file `/install/./README-as.html': Permission denied
cp: cannot create regular file `/install/./README-bn.html': Permission denied
cp: cannot create regular file `/install/./README-de.html': Permission denied
cp: cannot create regular file `/install/./README-en': Permission denied
cp: cannot create regular file `/install/./README-en.html': Permission denied
cp: cannot create regular file `/install/./README-es.html': Permission denied

5) now look at the permissions on my /install directory
dr-xr-xr-x 2 root root 4096 Jan 6 17:39 install

6) Now here's the kicker... if I do any of the following, the files copy into the /install directory without issue.

cp -r /mnt/. /install
cp -dpR /mnt/. /install (equivalent of -a)
cp -ar /mnt/. /install (with selinux set to permissive with setenforce 0)
cp -a /mnt/. /install (with selinux set to permissive with setenforce 0)

So I ask you... is this an selinux bug or cp command bug?? Comments more than welcome!

BTW - Redhat documentation states using the command cp -a (just for the record)


7 comments:

M@ said...

it's not a cp bug. It may not be an selinux bug, but is most likely an AC issue.

moonpup said...

I disagree, as the command cp -a will fail with permission denied. Turn off selinux and cp -a works, so it's either cp or selinux.

Anonymous said...

No. It might be a very valid policy denial. If you suspect otherwise, file a bug report. Blog posts are not the way to report issues.t

moonpup said...

OK, point well taken. BTW, if you have ever read the training documentation directly from Redhat, it states to use the command cp -a to copy the files. Bottom line, it doesn't work and something is broken :)

Anonymous said...

From setroubleshoot :
- "SELinux is preventing cp from creating a file with a context of iso9660_t on a filesystem. Usually this happens when you ask the cp command to maintain the context of a file when copying between file systems, "cp -a" for example. Not all file contexts should be maintained between the file systems. For example, a read-only file type like iso9660_t should not be placed on a r/w system. "cp -P" might be a better solution, as this will adopt the default file context for the destination. "

- "Use a command like "cp -P" to preserve all permissions except SELinux context."

Anonymous said...

Nothing is broken. You are passing the wrong argument (a instead of P). You just need to file a bug report and get some documentation updated if something says otherwise.

moonpup said...

Thanks for the helpful comments as that clears things up a bit. One question though. Do you mean lower case -p as the capital -P means no dereference (never follow symbolic links).

Thanks again!