I'm on CentOS 6.2, and have a file with the alternate access method character displayed as a dot.
ls -l myfile
-rwxr-x---. 1 me mygroup 172 Aug 13 10:03 myfile
^
This dot.
From the help displayed for ls with info coreutils 'ls invocation'
Following the file mode bits is a single character that specifies
whether an alternate access method such as an access control list
applies to the file. When the character following the file mode
bits is a space, there is no alternate access method. When it is
a printing character, then there is such a method.
GNU `ls' uses a `.' character to indicate a file with an SELinux
security context, but no other alternate access method.
A file with any other combination of alternate access methods is
marked with a `+' character.
So this file has some SELinux security context assigned to it. Using getfacl and getfattr those commands show:
getfacl myfile
# file: myfile
# owner: me
# group: mygroup
user::rwx
group::r-x
other::---
getfattr -m - myfile
# file: myfile
security.selinux
getfattr -n security.selinux myfile
# file: myfile
security.selinux="unconfined_u:object_r:usr_t:s0"
I've backed up the original file with:
cp --preserve=all myfile myfile.ORIG
And then edited the original:
vi myfile
:wq
Which blows away whatever context it had:
ls -l myfile
-rwxr-x--- 1 me mygroup 172 Aug 13 10:06 myfile
^
The dot is gone.
getfattr -n security.selinux myfile
myfile: security.selinux: No such attribute
getfacl myfile
# file: myfile
# owner: me
# group: mygroup
user::rwx
group::r-x
other::---
What's the recommended process for editing this file and preserving its extended attributes and alternate access method setting?
Best Answer
Editors can follow one of two strategies when you save a file.
Editors typically favor the first method, and fall back to the second method if they detect that they cannot replicate the permissions of the existing file or that the existing file has hard links.
It is likely that most editors do not realize the presence of the extra SELinux attributes and so apply the first method. With recent versions of GNU coreutils (≥ 8.6), you can use
cp --preserve=context --attributes-only
to replicate the SELinux context of a file on another file without changing the target file's contents.Alternatively, instruct your editor to edit the file in place. With Vim, set the
backupcopy
option toyes
, if that isn't the default on your system. With Emacs, set thebackup-by-copying
variable tot
.