cp: fix SELinux context handling for cp-a-selinux GNU test

Author: ChrisDryden

src/uu/cp/locales/en-US.ftl

@@ -85,6 +85,7 @@ cp-error-selinux-not-enabled = SELinux was not enabled during the compile time!
 cp-error-selinux-set-context = failed to set the security context of { $path }: { $error }
 cp-error-selinux-get-context = failed to get security context of { $path }
 cp-error-selinux-error = SELinux error: { $error }
+cp-error-selinux-context-conflict = cannot combine --context (-Z) with --preserve=context
 cp-error-cannot-create-fifo = cannot create fifo { $path }: File exists
 cp-error-invalid-attribute = invalid attribute { $value }
 cp-error-failed-to-create-whole-tree = failed to create whole tree

src/uu/cp/locales/fr-FR.ftl

@@ -85,6 +85,7 @@ cp-error-selinux-not-enabled = SELinux n'était pas activé lors de la compilati
 cp-error-selinux-set-context = échec de la définition du contexte de sécurité de { $path } : { $error }
 cp-error-selinux-get-context = échec de l'obtention du contexte de sécurité de { $path }
 cp-error-selinux-error = Erreur SELinux : { $error }
+cp-error-selinux-context-conflict = impossible de combiner --context (-Z) avec --preserve=context
 cp-error-cannot-create-fifo = impossible de créer le fifo { $path } : Le fichier existe
 cp-error-invalid-attribute = attribut invalide { $value }
 cp-error-failed-to-create-whole-tree = échec de la création de l'arborescence complète

src/uu/cp/src/copydir.rs

@@ -26,6 +26,8 @@ use uucore::translate;
 use uucore::uio_error;
 use walkdir::{DirEntry, WalkDir};
 
+#[cfg(all(feature = "selinux", target_os = "linux"))]
+use crate::set_selinux_context;
 use crate::{
     CopyMode, CopyResult, CpError, Options, aligned_ancestors, context_for, copy_attributes,
     copy_file,
@@ -492,6 +494,7 @@ pub(crate) fn copy_directory(
                             &entry.local_to_target,
                             &options.attributes,
                             false,
+                            options.set_selinux_context,
                         )?;
                         continue;
                     }
@@ -534,6 +537,7 @@ pub(crate) fn copy_directory(
                                 &entry.local_to_target,
                                 &options.attributes,
                                 false,
+                                options.set_selinux_context,
                             )?;
                         }
                     }
@@ -550,7 +554,18 @@ pub(crate) fn copy_directory(
     // Fix permissions for all directories we created
     // This ensures that even sibling directories get their permissions fixed
     for dir in dirs_needing_permissions {
-        copy_attributes(&dir.source, &dir.dest, &options.attributes, dir.was_created)?;
+        copy_attributes(
+            &dir.source,
+            &dir.dest,
+            &options.attributes,
+            dir.was_created,
+            options.set_selinux_context,
+        )?;
+
+        #[cfg(all(feature = "selinux", target_os = "linux"))]
+        if options.set_selinux_context {
+            set_selinux_context(&dir.dest, options.context.as_ref())?;
+        }
     }
 
     // Also fix permissions for parent directories,
@@ -559,7 +574,12 @@ pub(crate) fn copy_directory(
         let dest = target.join(root.file_name().unwrap());
         for (x, y) in aligned_ancestors(root, dest.as_path()) {
             if let Ok(src) = canonicalize(x, MissingHandling::Normal, ResolveMode::Physical) {
-                copy_attributes(&src, y, &options.attributes, false)?;
+                copy_attributes(&src, y, &options.attributes, false, options.set_selinux_context)?;
+
+                #[cfg(all(feature = "selinux", target_os = "linux"))]
+                if options.set_selinux_context {
+                    set_selinux_context(y, options.context.as_ref())?;
+                }
             }
         }
     }

src/uu/cp/src/cp.rs

@@ -1159,6 +1159,21 @@ impl Options {
             None
         };
 
+        // -Z/--context conflicts with explicit --preserve=context but overrides implicit (from -a)
+        if set_selinux_context || context.is_some() {
+            match attributes.context {
+                Preserve::Yes { required: true } => {
+                    return Err(CpError::Error(translate!(
+                        "cp-error-selinux-context-conflict"
+                    )));
+                }
+                Preserve::Yes { required: false } => {
+                    attributes.context = Preserve::No { explicit: false };
+                }
+                Preserve::No { .. } => {}
+            }
+        }
+
         let options = Self {
             attributes_only: matches.get_flag(options::ATTRIBUTES_ONLY),
             copy_contents: matches.get_flag(options::COPY_CONTENTS),
@@ -1550,7 +1565,7 @@ fn copy_source(
         if options.parents {
             for (x, y) in aligned_ancestors(source, dest.as_path()) {
                 if let Ok(src) = canonicalize(x, MissingHandling::Normal, ResolveMode::Physical) {
-                    copy_attributes(&src, y, &options.attributes, false)?;
+                    copy_attributes(&src, y, &options.attributes, false, options.set_selinux_context)?;
                 }
             }
         }
@@ -1671,12 +1686,27 @@ fn handle_preserve<F: Fn() -> CopyResult<()>>(p: Preserve, f: F) -> CopyResult<(
     Ok(())
 }
 
+#[cfg(all(feature = "selinux", target_os = "linux"))]
+pub(crate) fn set_selinux_context(path: &Path, context: Option<&String>) -> CopyResult<()> {
+    if !uucore::selinux::is_selinux_enabled() {
+        return Ok(());
+    }
+
+    match uucore::selinux::set_selinux_security_context(path, context) {
+        Ok(()) => Ok(()),
+        Err(uucore::selinux::SeLinuxError::OperationNotSupported) => Ok(()),
+        Err(e) => Err(CpError::Error(
+            translate!("cp-error-selinux-error", "error" => e),
+        )),
+    }
+}
+
 /// Copies extended attributes (xattrs) from `source` to `dest`, ensuring that `dest` is temporarily
 /// user-writable if needed and restoring its original permissions afterward. This avoids "Operation
 /// not permitted" errors on read-only files. Returns an error if permission or metadata operations fail,
 /// or if xattr copying fails.
 #[cfg(all(unix, not(target_os = "android")))]
-fn copy_extended_attrs(source: &Path, dest: &Path) -> CopyResult<()> {
+fn copy_extended_attrs(source: &Path, dest: &Path, skip_selinux: bool) -> CopyResult<()> {
     let metadata = fs::symlink_metadata(dest)?;
 
     // Check if the destination file is currently read-only for the user.
@@ -1692,7 +1722,13 @@ fn copy_extended_attrs(source: &Path, dest: &Path) -> CopyResult<()> {
 
     // Perform the xattr copy and capture any potential error,
     // so we can restore permissions before returning.
-    let copy_xattrs_result = copy_xattrs(source, dest);
+    let copy_xattrs_result = if skip_selinux {
+        // When -Z is used, skip copying security.selinux xattr so that
+        // the default context can be set instead of preserving from source
+        copy_xattrs_skip_selinux(source, dest)
+    } else {
+        copy_xattrs(source, dest)
+    };
 
     // Restore read-only if we changed it.
     if was_readonly {
@@ -1712,12 +1748,31 @@ fn copy_extended_attrs(source: &Path, dest: &Path) -> CopyResult<()> {
     Ok(())
 }
 
+/// Copy extended attributes but skip security.selinux
+#[cfg(all(unix, not(target_os = "android")))]
+fn copy_xattrs_skip_selinux(source: &Path, dest: &Path) -> std::io::Result<()> {
+    for attr_name in xattr::list(source)? {
+        // Skip security.selinux when -Z is used to set default context
+        if attr_name.to_string_lossy() == "security.selinux" {
+            continue;
+        }
+        if let Some(value) = xattr::get(source, &attr_name)? {
+            xattr::set(dest, &attr_name, &value)?;
+        }
+    }
+    Ok(())
+}
+
 /// Copy the specified attributes from one path to another.
+/// If `skip_selinux_xattr` is true, the security.selinux xattr will not be copied
+/// (used when -Z is specified to set the default context instead).
+#[allow(unused_variables)]
 pub(crate) fn copy_attributes(
     source: &Path,
     dest: &Path,
     attributes: &Attributes,
     dest_is_freshly_created_dir: bool,
+    skip_selinux_xattr: bool,
 ) -> CopyResult<()> {
     let context = &*format!("{} -> {}", source.quote(), dest.quote());
     let source_metadata =
@@ -1822,9 +1877,10 @@ pub(crate) fn copy_attributes(
     handle_preserve(attributes.xattr, || -> CopyResult<()> {
         #[cfg(all(unix, not(target_os = "android")))]
         {
-            copy_extended_attrs(source, dest)?;
+            copy_extended_attrs(source, dest, skip_selinux_xattr)?;
         }
         #[cfg(not(all(unix, not(target_os = "android"))))]
+        #[allow(unused_variables)]
         {
             // The documentation for GNU cp states:
             //
@@ -2576,33 +2632,44 @@ fn copy_file(
         fs::set_permissions(dest, dest_permissions).ok();
     }
 
-    if options.dereference(source_in_command_line) {
+    let copy_attributes_result = if options.dereference(source_in_command_line) {
         // Try to canonicalize, but if it fails (e.g., due to inaccessible parent directories),
         // fall back to the original source path
         let src_for_attrs = canonicalize(source, MissingHandling::Normal, ResolveMode::Physical)
             .ok()
             .filter(|p| p.exists())
             .unwrap_or_else(|| source.to_path_buf());
-        copy_attributes(&src_for_attrs, dest, &options.attributes, false)?;
+        copy_attributes(
+            &src_for_attrs,
+            dest,
+            &options.attributes,
+            false,
+            options.set_selinux_context,
+        )
     } else if source_is_stream && !source.exists() {
         // Some stream files may not exist after we have copied it,
         // like anonymous pipes. Thus, we can't really copy its
         // attributes. However, this is already handled in the stream
         // copy function (see `copy_stream` under platform/linux.rs).
+        Ok(())
     } else {
-        copy_attributes(source, dest, &options.attributes, false)?;
-    }
+        copy_attributes(
+            source,
+            dest,
+            &options.attributes,
+            false,
+            options.set_selinux_context,
+        )
+    };
 
-    #[cfg(all(feature = "selinux", any(target_os = "linux", target_os = "android")))]
-    if options.set_selinux_context && uucore::selinux::is_selinux_enabled() {
-        // Set the given selinux permissions on the copied file.
-        if let Err(e) =
-            uucore::selinux::set_selinux_security_context(dest, options.context.as_ref())
-        {
-            return Err(CpError::Error(
-                translate!("cp-error-selinux-error", "error" => e),
-            ));
-        }
+    // GNU cp truncates the destination when a required attribute cannot be preserved
+    copy_attributes_result.inspect_err(|_| {
+        fs::File::create(dest).map(|f| f.set_len(0)).ok();
+    })?;
+
+    #[cfg(all(feature = "selinux", target_os = "linux"))]
+    if options.set_selinux_context {
+        set_selinux_context(dest, options.context.as_ref())?;
     }
 
     // Skip tracking copied files when using --link mode since hard link
@@ -2772,7 +2839,13 @@ fn copy_link(
         delete_path(dest, options)?;
     }
     symlink_file(&link, dest, symlinked_files)?;
-    copy_attributes(source, dest, &options.attributes, false)
+    copy_attributes(
+        source,
+        dest,
+        &options.attributes,
+        false,
+        options.set_selinux_context,
+    )
 }
 
 /// Generate an error message if `target` is not the correct `target_type`

src/uucore/locales/en-US.ftl

@@ -45,6 +45,7 @@ selinux-error-file-open-failure = failed to open the file: { $error }
 selinux-error-context-retrieval-failure = failed to retrieve the security context: { $error }
 selinux-error-context-set-failure = failed to set default file creation context to '{ $context }': { $error }
 selinux-error-context-conversion-failure = failed to set default file creation context to '{ $context }': { $error }
+selinux-error-operation-not-supported = operation not supported
 
 # SMACK error messages
 smack-error-not-enabled = SMACK is not enabled on this system

src/uucore/locales/fr-FR.ftl

@@ -45,6 +45,7 @@ selinux-error-file-open-failure = échec de l'ouverture du fichier : { $error }
 selinux-error-context-retrieval-failure = échec de la récupération du contexte de sécurité : { $error }
 selinux-error-context-set-failure = échec de la définition du contexte de création de fichier par défaut à '{ $context }' : { $error }
 selinux-error-context-conversion-failure = échec de la définition du contexte de création de fichier par défaut à '{ $context }' : { $error }
+selinux-error-operation-not-supported = opération non prise en charge
 
 # Messages d'erreur de traversée sécurisée
 safe-traversal-error-path-contains-null = le chemin contient un octet null

src/uucore/src/lib/features/selinux.rs

@@ -30,6 +30,9 @@ pub enum SeLinuxError {
 
     #[error("{}", translate!("selinux-error-context-conversion-failure", "context" => .0.clone(), "error" => .1.clone()))]
     ContextConversionFailure(String, String),
+
+    #[error("{}", translate!("selinux-error-operation-not-supported"))]
+    OperationNotSupported,
 }
 
 impl UError for SeLinuxError {
@@ -40,6 +43,7 @@ impl UError for SeLinuxError {
             Self::ContextRetrievalFailure(_) => 3,
             Self::ContextSetFailure(_, _) => 4,
             Self::ContextConversionFailure(_, _) => 5,
+            Self::OperationNotSupported => 6,
         }
     }
 }
@@ -154,13 +158,23 @@ pub fn set_selinux_security_context(
             false,
         )
         .set_for_path(path, false, false)
-        .map_err(|e| {
-            SeLinuxError::ContextSetFailure(ctx_str.to_owned(), selinux_error_description(&e))
+        .map_err(|e| match &e {
+            selinux::errors::Error::IO1Path { source, .. }
+                if source.raw_os_error() == Some(libc::ENOTSUP) =>
+            {
+                SeLinuxError::OperationNotSupported
+            }
+            _ => SeLinuxError::ContextSetFailure(ctx_str.to_owned(), selinux_error_description(&e)),
         })
     } else {
         // If no context provided, set the default SELinux context for the path
-        SecurityContext::set_default_for_path(path).map_err(|e| {
-            SeLinuxError::ContextSetFailure(String::new(), selinux_error_description(&e))
+        SecurityContext::set_default_for_path(path).map_err(|e| match &e {
+            selinux::errors::Error::IO1Path { source, .. }
+                if source.raw_os_error() == Some(libc::ENOTSUP) =>
+            {
+                SeLinuxError::OperationNotSupported
+            }
+            _ => SeLinuxError::ContextSetFailure(String::new(), selinux_error_description(&e)),
         })
     }
 }
@@ -532,6 +546,9 @@ mod tests {
                     "File open failure occurred despite file being created: {e}"
                 );
             }
+            Err(e @ SeLinuxError::OperationNotSupported) => {
+                println!("{e}");
+            }
         }
     }
 

tests/by-util/test_cp.rs

@@ -7671,3 +7671,59 @@ fn test_cp_gnu_preserve_mode() {
 
     assert_eq!(d1_mode, d3_mode);
 }
+
+#[test]
+#[cfg(feature = "feat_selinux")]
+fn test_cp_a_z_overrides_context() {
+    use std::path::Path;
+    use uucore::selinux::{get_selinux_security_context, set_selinux_security_context};
+
+    let (at, mut ucmd) = at_and_ucmd!();
+    at.touch("src");
+
+    let ctx = "unconfined_u:object_r:user_tmp_t:s0".to_string();
+    if set_selinux_security_context(Path::new(&at.plus_as_string("src")), Some(&ctx)).is_err() {
+        return;
+    }
+
+    let src_ctx =
+        get_selinux_security_context(Path::new(&at.plus_as_string("src")), false).unwrap();
+    ucmd.args(&["-aZ", "src", "dst"]).succeeds();
+    let dst_ctx =
+        get_selinux_security_context(Path::new(&at.plus_as_string("dst")), false).unwrap();
+
+    assert_ne!(src_ctx, dst_ctx, "-aZ should override context from -a");
+}
+
+#[test]
+#[cfg(feature = "feat_selinux")]
+fn test_cp_a_preserves_context() {
+    use std::path::Path;
+    use uucore::selinux::{get_selinux_security_context, set_selinux_security_context};
+
+    let (at, mut ucmd) = at_and_ucmd!();
+    at.touch("src");
+
+    let ctx = "unconfined_u:object_r:user_tmp_t:s0".to_string();
+    if set_selinux_security_context(Path::new(&at.plus_as_string("src")), Some(&ctx)).is_err() {
+        return;
+    }
+
+    let src_ctx =
+        get_selinux_security_context(Path::new(&at.plus_as_string("src")), false).unwrap();
+    ucmd.args(&["-a", "src", "dst"]).succeeds();
+    let dst_ctx =
+        get_selinux_security_context(Path::new(&at.plus_as_string("dst")), false).unwrap();
+
+    assert_eq!(src_ctx, dst_ctx, "-a should preserve SELinux context");
+}
+
+#[test]
+#[cfg(feature = "feat_selinux")]
+fn test_cp_preserve_context_with_z_fails() {
+    let (at, mut ucmd) = at_and_ucmd!();
+    at.touch("src");
+    ucmd.args(&["--preserve=context", "-Z", "src", "dst"])
+        .fails()
+        .stderr_contains("cannot combine");
+}