2 # Ensure that cp -a and cp --preserve=context work properly.
3 # In particular, test on a writable NFS partition.
4 # Check also locally if --preserve=context, -a and --preserve=all
7 # Copyright (C) 2007-2009 Free Software Foundation, Inc.
9 # This program is free software: you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation, either version 3 of the License, or
12 # (at your option) any later version.
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 if test "$VERBOSE" = yes; then
32 cleanup_() { cd /; umount "$cwd/mnt"; }
34 # This context is special: it works even when mcstransd isn't running.
35 ctx=root:object_r:tmp_t:s0
37 # Check basic functionality - before check on fixed context mount
38 touch c || framework_failure
39 chcon $ctx c || framework_failure
40 cp -a c d 2>err || framework_failure
41 cp --preserve=context c e || framework_failure
42 cp --preserve=all c f || framework_failure
43 ls -Z d | grep $ctx || fail=1
44 test -s err && fail=1 #there must be no stderr output for -a
45 ls -Z e | grep $ctx || fail=1
46 ls -Z f | grep $ctx || fail=1
49 # Create a file system, then mount it with the context=... option.
50 dd if=/dev/zero of=blob bs=8192 count=200 > /dev/null 2>&1 \
52 mkdir mnt || framework_failure
53 mkfs -t ext2 -F blob ||
54 skip_test_ "failed to create an ext2 file system"
56 mount -oloop,context=$ctx blob mnt || framework_failure
57 cd mnt || framework_failure
59 echo > f || framework_failure
60 echo > g || framework_failure
63 # /bin/cp from coreutils-6.7-3.fc7 would fail this test by letting cp
64 # succeed (giving no diagnostics), yet leaving the destination file empty.
65 cp -a f g 2>err || fail=1
66 test -s g || fail=1 # The destination file must not be empty.
67 test -s err && fail=1 # There must be no stderr output.
72 # =====================================================
73 # Here, we expect cp to fail, because it cannot set the SELinux
74 # security context through NFS or a mount with fixed context.
75 cp --preserve=context f g 2> out && fail=1
77 # Here, we *do* expect the destination to be empty.
82 # Check if -a option doesn't silence --preserve=context option diagnostics
83 cp -a --preserve=context f g 2> out2 && fail=1
85 # Here, we *do* expect the destination to be empty.
88 # An alternative to the current approach would be to run in a confined
89 # domain (maybe creating/loading it) that lacks the required permissions
91 # Note: this test could also be run by a regular (non-root) user in an
92 # NFS mounted directory. When doing that, I get this diagnostic:
93 # cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \
94 # Operation not supported
95 sed "s/ .g' to .*//" out > k
97 sed "s/ .g' to .*//" out2 > k
100 cat <<\EOF > exp || fail=1
101 cp: failed to set the security context of
104 compare out exp || fail=1
105 compare out2 exp || fail=1