security_context_t con = NULL;
if (getfscreatecon (&con) < 0)
{
- if (!x->reduce_diagnostics || x->require_preserve_context)
+ if (x->require_preserve_context ||
+ (!x->reduce_diagnostics && !errno_unsupported (errno)))
error (0, errno, _("failed to get file system create context"));
if (x->require_preserve_context)
{
{
if (fsetfilecon (dest_desc, con) < 0)
{
- if (!x->reduce_diagnostics || x->require_preserve_context)
+ if (x->require_preserve_context ||
+ (!x->reduce_diagnostics && !errno_unsupported (errno)))
error (0, errno,
_("failed to set the security context of %s to %s"),
quote_n (0, dst_name), quote_n (1, con));
{
if (setfscreatecon (con) < 0)
{
- if (!x->reduce_diagnostics || x->require_preserve_context)
+ if (x->require_preserve_context ||
+ (!x->reduce_diagnostics && !errno_unsupported (errno)))
error (0, errno,
_("failed to set default file creation context to %s"),
quote (con));
}
else
{
- if (!errno_unsupported (errno) || x->require_preserve_context)
+ if (x->require_preserve_context ||
+ (!x->reduce_diagnostics && !errno_unsupported (errno)))
{
- if (!x->reduce_diagnostics || x->require_preserve_context)
- error (0, errno,
- _("failed to get security context of %s"),
- quote (src_name));
- if (x->require_preserve_context)
- return false;
+ error (0, errno,
+ _("failed to get security context of %s"),
+ quote (src_name));
}
+ if (x->require_preserve_context)
+ return false;
}
}
cd mnt || framework_failure
echo > f || framework_failure
-echo > g || framework_failure
-
+echo > g || framework_failure
# /bin/cp from coreutils-6.7-3.fc7 would fail this test by letting cp
# succeed (giving no diagnostics), yet leaving the destination file empty.
cp -a f g 2>err || fail=1
test -s g || fail=1 # The destination file must not be empty.
test -s err && fail=1 # There must be no stderr output.
-rm -f g err
+# =====================================================
+# Here, we expect cp to succeed and not warn with "Operation not supported"
+rm -f g
echo > g
+cp --preserve=all f g 2>err || fail=1
+test -s g || fail=1
+grep "Operation not supported" err && fail=1
# =====================================================
+# The same as above except destination does not exist
+rm -f g
+cp --preserve=all f g 2>err || fail=1
+test -s g || fail=1
+grep "Operation not supported" err && fail=1
+
+# An alternative to the following approach would be to run in a confined
+# domain (maybe creating/loading it) that lacks the required permissions
+# to the file type.
+# Note: this test could also be run by a regular (non-root) user in an
+# NFS mounted directory. When doing that, I get this diagnostic:
+# cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \
+# Operation not supported
+cat <<\EOF > exp || framework_failure=1
+cp: failed to set the security context of
+EOF
+
+rm -f g
+echo > g
+# =====================================================
# Here, we expect cp to fail, because it cannot set the SELinux
# security context through NFS or a mount with fixed context.
cp --preserve=context f g 2> out && fail=1
-
# Here, we *do* expect the destination to be empty.
test -s g && fail=1
+sed "s/ .g' to .*//" out > k
+mv k out
+compare out exp || fail=1
rm -f g
echo > g
# Check if -a option doesn't silence --preserve=context option diagnostics
cp -a --preserve=context f g 2> out2 && fail=1
-
# Here, we *do* expect the destination to be empty.
test -s g && fail=1
-
-# An alternative to the current approach would be to run in a confined
-# domain (maybe creating/loading it) that lacks the required permissions
-# to the file type.
-# Note: this test could also be run by a regular (non-root) user in an
-# NFS mounted directory. When doing that, I get this diagnostic:
-# cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \
-# Operation not supported
-sed "s/ .g' to .*//" out > k
-mv k out
sed "s/ .g' to .*//" out2 > k
mv k out2
-
-cat <<\EOF > exp || fail=1
-cp: failed to set the security context of
-EOF
-
-compare out exp || fail=1
compare out2 exp || fail=1
Exit $fail