Linux – How to edit a file and preserve its access control list / SELinux security context

aclselinux

I'm on CentOS 6.2, and have a file with the alternate access method character displayed as a dot.

ls -l myfile
-rwxr-x---. 1 me mygroup   172 Aug 13 10:03 myfile
          ^ 
          This dot.

From the help displayed for ls with info coreutils 'ls invocation'

Following the file mode bits is a single character that specifies
whether an alternate access method such as an access control list
applies to the file.  When the character following the file mode
bits is a space, there is no alternate access method.  When it is
a printing character, then there is such a method.

GNU `ls' uses a `.' character to indicate a file with an SELinux
security context, but no other alternate access method.

A file with any other combination of alternate access methods is
marked with a `+' character.

So this file has some SELinux security context assigned to it. Using getfacl and getfattr those commands show:

getfacl myfile
# file: myfile
# owner: me
# group: mygroup
user::rwx
group::r-x
other::---

getfattr -m - myfile
# file: myfile
security.selinux

getfattr -n security.selinux myfile
# file: myfile
security.selinux="unconfined_u:object_r:usr_t:s0"

I've backed up the original file with:

cp --preserve=all myfile myfile.ORIG

And then edited the original:

vi myfile
:wq

Which blows away whatever context it had:

ls -l myfile
-rwxr-x---  1 me mygroup   172 Aug 13 10:06 myfile
          ^ 
          The dot is gone.

getfattr -n security.selinux myfile
myfile: security.selinux: No such attribute

getfacl myfile
# file: myfile
# owner: me
# group: mygroup
user::rwx
group::r-x
other::---

What's the recommended process for editing this file and preserving its extended attributes and alternate access method setting?

Best Answer

Editors can follow one of two strategies when you save a file.

Create a new file, then move it to replace the old one. The main advantage is that there is always a valid file in place: the old version is atomically replaced by the new one. A downside is that a new file is created, so the editor must manually replicate the ownership and permissions of the old file to the best of its ability. This method also breaks hard links.
Write to the existing file. This preserves hard links and permissions. Also, this doesn't require any extra disk space, but it's highly advisable to make a backup first, which makes this point moot. This has the major downside that if a program attempts to read the file while it is being saved, it will see a truncated file; and if the save is interrupted (e.g. by a power failure), a partial file will remain.

Editors typically favor the first method, and fall back to the second method if they detect that they cannot replicate the permissions of the existing file or that the existing file has hard links.

It is likely that most editors do not realize the presence of the extra SELinux attributes and so apply the first method. With recent versions of GNU coreutils (≥ 8.6), you can use cp --preserve=context --attributes-only to replicate the SELinux context of a file on another file without changing the target file's contents.

Alternatively, instruct your editor to edit the file in place. With Vim, set the backupcopy option to yes, if that isn't the default on your system. With Emacs, set the backup-by-copying variable to t.

Best Answer

Related Solutions

Linux – What roles do DAC (file permissions), ACL and MAC (SELinux) play in Linux file security

Linux Kernel – Advanced Filesystem ACLs Beyond Traditional RWX and POSIX ACL

Related Question