RGBCube/uutils-coreutils
1
Fork 0
mirror of https://github.com/RGBCube/uutils-coreutils synced 2025-07-27 11:07:44 +00:00
Code Issues Activity

Merge pull request #7878 from sylvestre/selinux-cp

Browse source 
cp: improve the selinux support
This commit is contained in:
Daniel Hofstetter 2025-05-06 09:27:59 +02:00 committed by GitHub
commit c981767af4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 491 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/uu/cp/Cargo.toml
View file

@ -47,5 +47,5 @@ name = "cp"
path = "src/main.rs" path = "src/main.rs"
[features] [features]
feat_selinux = ["selinux"] feat_selinux = ["selinux", "uucore/selinux"]
feat_acl = ["exacl"] feat_acl = ["exacl"]

92
src/uu/cp/src/cp.rs
View file

@ -16,7 +16,7 @@ use std::path::{Path, PathBuf, StripPrefixError};
#[cfg(all(unix, not(target_os = "android")))] #[cfg(all(unix, not(target_os = "android")))]
use uucore::fsxattr::copy_xattrs; use uucore::fsxattr::copy_xattrs;
use clap::{Arg, ArgAction, ArgMatches, Command, builder::ValueParser}; use clap::{Arg, ArgAction, ArgMatches, Command, builder::ValueParser, value_parser};
use filetime::FileTime; use filetime::FileTime;
use indicatif::{ProgressBar, ProgressStyle}; use indicatif::{ProgressBar, ProgressStyle};
use quick_error::ResultExt; use quick_error::ResultExt;
@ -311,6 +311,10 @@ pub struct Options {
pub verbose: bool, pub verbose: bool,
/// `-g`, `--progress` /// `-g`, `--progress`
pub progress_bar: bool, pub progress_bar: bool,
/// -Z
pub set_selinux_context: bool,
// --context
pub context: Option<String>,
} }
impl Default for Options { impl Default for Options {
@ -337,6 +341,8 @@ impl Default for Options {
debug: false, debug: false,
verbose: false, verbose: false,
progress_bar: false, progress_bar: false,
set_selinux_context: false,
context: None,
} }
} }
} }
@ -448,6 +454,7 @@ mod options {
pub const RECURSIVE: &str = "recursive"; pub const RECURSIVE: &str = "recursive";
pub const REFLINK: &str = "reflink"; pub const REFLINK: &str = "reflink";
pub const REMOVE_DESTINATION: &str = "remove-destination"; pub const REMOVE_DESTINATION: &str = "remove-destination";
pub const SELINUX: &str = "Z";
pub const SPARSE: &str = "sparse"; pub const SPARSE: &str = "sparse";
pub const STRIP_TRAILING_SLASHES: &str = "strip-trailing-slashes"; pub const STRIP_TRAILING_SLASHES: &str = "strip-trailing-slashes";
pub const SYMBOLIC_LINK: &str = "symbolic-link"; pub const SYMBOLIC_LINK: &str = "symbolic-link";
@ -476,6 +483,7 @@ const PRESERVE_DEFAULT_VALUES: &str = if cfg!(unix) {
} else { } else {
"mode,timestamp" "mode,timestamp"
}; };
pub fn uu_app() -> Command { pub fn uu_app() -> Command {
const MODE_ARGS: &[&str] = &[ const MODE_ARGS: &[&str] = &[
options::LINK, options::LINK,
@ -709,24 +717,25 @@ pub fn uu_app() -> Command {
.value_parser(ShortcutValueParser::new(["never", "auto", "always"])) .value_parser(ShortcutValueParser::new(["never", "auto", "always"]))
.help("control creation of sparse files. See below"), .help("control creation of sparse files. See below"),
) )
// TODO: implement the following args
.arg( .arg(
Arg::new(options::COPY_CONTENTS) Arg::new(options::SELINUX)
.long(options::COPY_CONTENTS) .short('Z')
.overrides_with(options::ATTRIBUTES_ONLY) .help("set SELinux security context of destination file to default type")
.help("NotImplemented: copy contents of special files when recursive")
.action(ArgAction::SetTrue), .action(ArgAction::SetTrue),
) )
.arg( .arg(
Arg::new(options::CONTEXT) Arg::new(options::CONTEXT)
.long(options::CONTEXT) .long(options::CONTEXT)
.value_name("CTX") .value_name("CTX")
.value_parser(value_parser!(String))
.help( .help(
"NotImplemented: set SELinux security context of destination file to \ "like -Z, or if CTX is specified then set the SELinux or SMACK security \
default type", context to CTX",
), )
.num_args(0..=1)
.require_equals(true)
.default_missing_value(""),
) )
// END TODO
.arg( .arg(
// The 'g' short flag is modeled after advcpmv // The 'g' short flag is modeled after advcpmv
// See this repo: https://github.com/jarun/advcpmv // See this repo: https://github.com/jarun/advcpmv
@ -739,6 +748,15 @@ pub fn uu_app() -> Command {
Note: this feature is not supported by GNU coreutils.", Note: this feature is not supported by GNU coreutils.",
), ),
) )
// TODO: implement the following args
.arg(
Arg::new(options::COPY_CONTENTS)
.long(options::COPY_CONTENTS)
.overrides_with(options::ATTRIBUTES_ONLY)
.help("NotImplemented: copy contents of special files when recursive")
.action(ArgAction::SetTrue),
)
// END TODO
.arg( .arg(
Arg::new(options::PATHS) Arg::new(options::PATHS)
.action(ArgAction::Append) .action(ArgAction::Append)
@ -971,7 +989,6 @@ impl Options {
let not_implemented_opts = vec![ let not_implemented_opts = vec![
#[cfg(not(any(windows, unix)))] #[cfg(not(any(windows, unix)))]
options::ONE_FILE_SYSTEM, options::ONE_FILE_SYSTEM,
options::CONTEXT,
#[cfg(windows)] #[cfg(windows)]
options::FORCE, options::FORCE,
]; ];
@ -1018,7 +1035,6 @@ impl Options {
return Err(Error::NotADirectory(dir.clone())); return Err(Error::NotADirectory(dir.clone()));
} }
}; };
// cp follows POSIX conventions for overriding options such as "-a", // cp follows POSIX conventions for overriding options such as "-a",
// "-d", "--preserve", and "--no-preserve". We can use clap's // "-d", "--preserve", and "--no-preserve". We can use clap's
// override-all behavior to achieve this, but there's a challenge: when // override-all behavior to achieve this, but there's a challenge: when
@ -1101,7 +1117,7 @@ impl Options {
} }
} }
#[cfg(not(feature = "feat_selinux"))] #[cfg(not(feature = "selinux"))]
if let Preserve::Yes { required } = attributes.context { if let Preserve::Yes { required } = attributes.context {
let selinux_disabled_error = let selinux_disabled_error =
Error::Error("SELinux was not enabled during the compile time!".to_string()); Error::Error("SELinux was not enabled during the compile time!".to_string());
@ -1112,6 +1128,15 @@ impl Options {
} }
} }
// Extract the SELinux related flags and options
let set_selinux_context = matches.get_flag(options::SELINUX);
let context = if matches.contains_id(options::CONTEXT) {
matches.get_one::<String>(options::CONTEXT).cloned()
} else {
None
};
let options = Self { let options = Self {
attributes_only: matches.get_flag(options::ATTRIBUTES_ONLY), attributes_only: matches.get_flag(options::ATTRIBUTES_ONLY),
copy_contents: matches.get_flag(options::COPY_CONTENTS), copy_contents: matches.get_flag(options::COPY_CONTENTS),
@ -1172,6 +1197,8 @@ impl Options {
recursive, recursive,
target_dir, target_dir,
progress_bar: matches.get_flag(options::PROGRESS_BAR), progress_bar: matches.get_flag(options::PROGRESS_BAR),
set_selinux_context: set_selinux_context || context.is_some(),
context,
}; };
Ok(options) Ok(options)
@ -1676,20 +1703,24 @@ pub(crate) fn copy_attributes(
Ok(()) Ok(())
})?; })?;
#[cfg(feature = "feat_selinux")] #[cfg(feature = "selinux")]
handle_preserve(&attributes.context, || -> CopyResult<()> { handle_preserve(&attributes.context, || -> CopyResult<()> {
let context = selinux::SecurityContext::of_path(source, false, false).map_err(|e| { // Get the source context and apply it to the destination
format!( if let Ok(context) = selinux::SecurityContext::of_path(source, false, false) {
"failed to get security context of {}: {e}", if let Some(context) = context {
source.display(), if let Err(e) = context.set_for_path(dest, false, false) {
) return Err(Error::Error(format!(
})?; "failed to set security context for {}: {e}",
if let Some(context) = context { dest.display()
context.set_for_path(dest, false, false).map_err(|e| { )));
format!("failed to set security context for {}: {e}", dest.display(),) }
})?; }
} else {
return Err(Error::Error(format!(
"failed to get security context of {}",
source.display()
)));
} }
Ok(()) Ok(())
})?; })?;
@ -2417,11 +2448,20 @@ fn copy_file(
// like anonymous pipes. Thus, we can't really copy its // like anonymous pipes. Thus, we can't really copy its
// attributes. However, this is already handled in the stream // attributes. However, this is already handled in the stream
// copy function (see `copy_stream` under platform/linux.rs). // copy function (see `copy_stream` under platform/linux.rs).
copy_attributes(source, dest, &options.attributes)?;
} else { } else {
copy_attributes(source, dest, &options.attributes)?; copy_attributes(source, dest, &options.attributes)?;
} }
#[cfg(feature = "selinux")]
if options.set_selinux_context && uucore::selinux::is_selinux_enabled() {
// Set the given selinux permissions on the copied file.
if let Err(e) =
uucore::selinux::set_selinux_security_context(dest, options.context.as_ref())
{
return Err(Error::Error(format!("SELinux error: {}", e)));
}
}
copied_files.insert( copied_files.insert(
FileInformation::from_path(source, options.dereference(source_in_command_line))?, FileInformation::from_path(source, options.dereference(source_in_command_line))?,
dest.to_path_buf(), dest.to_path_buf(),

435
tests/by-util/test_cp.rs
View file

@ -3,7 +3,7 @@
// For the full copyright and license information, please view the LICENSE // For the full copyright and license information, please view the LICENSE
// file that was distributed with this source code. // file that was distributed with this source code.
// spell-checker:ignore (flags) reflink (fs) tmpfs (linux) rlimit Rlim NOFILE clob btrfs neve ROOTDIR USERDIR procfs outfile uufs xattrs // spell-checker:ignore (flags) reflink (fs) tmpfs (linux) rlimit Rlim NOFILE clob btrfs neve ROOTDIR USERDIR procfs outfile uufs xattrs
// spell-checker:ignore bdfl hlsl IRWXO IRWXG // spell-checker:ignore bdfl hlsl IRWXO IRWXG nconfined matchpathcon libselinux-devel
use uutests::at_and_ucmd; use uutests::at_and_ucmd;
use uutests::new_ucmd; use uutests::new_ucmd;
use uutests::path_concat; use uutests::path_concat;
@ -908,32 +908,32 @@ fn test_cp_arg_no_clobber_twice() {
let scene = TestScenario::new(util_name!()); let scene = TestScenario::new(util_name!());
let at = &scene.fixtures; let at = &scene.fixtures;
at.touch("source.txt"); at.touch(TEST_HELLO_WORLD_SOURCE);
scene scene
.ucmd() .ucmd()
.arg("--no-clobber") .arg("--no-clobber")
.arg("source.txt") .arg(TEST_HELLO_WORLD_SOURCE)
.arg("dest.txt") .arg(TEST_HELLO_WORLD_DEST)
.arg("--debug") .arg("--debug")
.succeeds() .succeeds()
.no_stderr(); .no_stderr();
assert_eq!(at.read("source.txt"), ""); assert_eq!(at.read(TEST_HELLO_WORLD_SOURCE), "");
at.append("source.txt", "some-content"); at.append(TEST_HELLO_WORLD_SOURCE, "some-content");
scene scene
.ucmd() .ucmd()
.arg("--no-clobber") .arg("--no-clobber")
.arg("source.txt") .arg(TEST_HELLO_WORLD_SOURCE)
.arg("dest.txt") .arg(TEST_HELLO_WORLD_DEST)
.arg("--debug") .arg("--debug")
.succeeds() .succeeds()
.stdout_contains("skipped 'dest.txt'"); .stdout_contains(format!("skipped '{}'", TEST_HELLO_WORLD_DEST));
assert_eq!(at.read("source.txt"), "some-content"); assert_eq!(at.read(TEST_HELLO_WORLD_SOURCE), "some-content");
// Should be empty as the "no-clobber" should keep // Should be empty as the "no-clobber" should keep
// the previous version // the previous version
assert_eq!(at.read("dest.txt"), ""); assert_eq!(at.read(TEST_HELLO_WORLD_DEST), "");
} }
#[test] #[test]
@ -6248,3 +6248,416 @@ fn test_cp_update_none_interactive_prompt_no() {
assert_eq!(at.read(old_file), "old content"); assert_eq!(at.read(old_file), "old content");
assert_eq!(at.read(new_file), "new content"); assert_eq!(at.read(new_file), "new content");
} }
#[cfg(feature = "feat_selinux")]
fn get_getfattr_output(f: &str) -> String {
use std::process::Command;
let getfattr_output = Command::new("getfattr")
.arg(f)
.arg("-n")
.arg("security.selinux")
.output()
.expect("Failed to run `getfattr` on the destination file");
println!("{:?}", getfattr_output);
assert!(
getfattr_output.status.success(),
"getfattr did not run successfully: {}",
String::from_utf8_lossy(&getfattr_output.stderr)
);
String::from_utf8_lossy(&getfattr_output.stdout)
.split('"')
.nth(1)
.unwrap_or("")
.to_string()
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_selinux() {
let ts = TestScenario::new(util_name!());
let at = &ts.fixtures;
let args = ["-Z", "--context=unconfined_u:object_r:user_tmp_t:s0"];
at.touch(TEST_HELLO_WORLD_SOURCE);
for arg in args {
ts.ucmd()
.arg(arg)
.arg(TEST_HELLO_WORLD_SOURCE)
.arg(TEST_HELLO_WORLD_DEST)
.succeeds();
assert!(at.file_exists(TEST_HELLO_WORLD_DEST));
let selinux_perm = get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
assert!(
selinux_perm.contains("unconfined_u"),
"Expected 'foo' not found in getfattr output:\n{selinux_perm}"
);
at.remove(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
}
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_selinux_invalid() {
let scene = TestScenario::new(util_name!());
let at = &scene.fixtures;
at.touch(TEST_HELLO_WORLD_SOURCE);
let args = [
"--context=a",
"--context=unconfined_u:object_r:user_tmp_t:s0:a",
"--context=nconfined_u:object_r:user_tmp_t:s0",
];
for arg in args {
new_ucmd!()
.arg(arg)
.arg(TEST_HELLO_WORLD_SOURCE)
.arg(TEST_HELLO_WORLD_DEST)
.fails()
.stderr_contains("Failed to");
if at.file_exists(TEST_HELLO_WORLD_DEST) {
at.remove(TEST_HELLO_WORLD_DEST);
}
}
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_preserve_selinux() {
let ts = TestScenario::new(util_name!());
let at = &ts.fixtures;
let args = ["-Z", "--context=unconfined_u:object_r:user_tmp_t:s0"];
at.touch(TEST_HELLO_WORLD_SOURCE);
for arg in args {
ts.ucmd()
.arg(arg)
.arg(TEST_HELLO_WORLD_SOURCE)
.arg(TEST_HELLO_WORLD_DEST)
.arg("--preserve=all")
.succeeds();
assert!(at.file_exists(TEST_HELLO_WORLD_DEST));
let selinux_perm_dest = get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
assert!(
selinux_perm_dest.contains("unconfined_u"),
"Expected 'foo' not found in getfattr output:\n{selinux_perm_dest}"
);
assert_eq!(
get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_SOURCE)),
selinux_perm_dest
);
#[cfg(all(unix, not(target_os = "freebsd")))]
{
// Assert that the mode, ownership, and timestamps are preserved
// NOTICE: the ownership is not modified on the src file, because that requires root permissions
let metadata_src = at.metadata(TEST_HELLO_WORLD_SOURCE);
let metadata_dst = at.metadata(TEST_HELLO_WORLD_DEST);
assert_metadata_eq!(metadata_src, metadata_dst);
}
at.remove(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
}
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_preserve_selinux_admin_context() {
let ts = TestScenario::new(util_name!());
let at = &ts.fixtures;
at.touch(TEST_HELLO_WORLD_SOURCE);
// Get the default SELinux context for the destination file path
// On Debian/Ubuntu, this program is provided by the selinux-utils package
// On Fedora/RHEL, this program is provided by the libselinux-devel package
let output = std::process::Command::new("matchpathcon")
.arg(at.plus_as_string(TEST_HELLO_WORLD_DEST))
.output()
.expect("failed to execute matchpathcon command");
assert!(
output.status.success(),
"matchpathcon command failed: {}",
String::from_utf8_lossy(&output.stderr)
);
let output_str = String::from_utf8_lossy(&output.stdout);
let default_context = output_str
.split_whitespace()
.nth(1)
.unwrap_or_default()
.to_string();
assert!(
!default_context.is_empty(),
"Unable to determine default SELinux context for the test file"
);
let cmd_result = ts
.ucmd()
.arg("-Z")
.arg(format!("--context={}", default_context))
.arg(TEST_HELLO_WORLD_SOURCE)
.arg(TEST_HELLO_WORLD_DEST)
.run();
println!("cp command result: {:?}", cmd_result);
if !cmd_result.succeeded() {
println!("Skipping test: Cannot set SELinux context, system may not support this context");
return;
}
assert!(at.file_exists(TEST_HELLO_WORLD_DEST));
let selinux_perm_dest = get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
println!("Destination SELinux context: {}", selinux_perm_dest);
assert_eq!(default_context, selinux_perm_dest);
at.remove(&at.plus_as_string(TEST_HELLO_WORLD_DEST));
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_selinux_context_priority() {
// This test verifies that the priority order is respected:
// -Z > --context > --preserve=context
let ts = TestScenario::new(util_name!());
let at = &ts.fixtures;
at.write(TEST_HELLO_WORLD_SOURCE, "source content");
// First, set a known context on source file (only if system supports it)
let setup_result = ts
.ucmd()
.arg("--context=unconfined_u:object_r:user_tmp_t:s0")
.arg(TEST_HELLO_WORLD_SOURCE)
.arg("initial_context.txt")
.run();
// If the system doesn't support setting contexts, skip the test
if !setup_result.succeeded() {
println!("Skipping test: System doesn't support setting SELinux contexts");
return;
}
// Create different copies with different context options
// 1. Using --preserve=context
ts.ucmd()
.arg("--preserve=context")
.arg(TEST_HELLO_WORLD_SOURCE)
.arg("preserve.txt")
.succeeds();
// 2. Using --context with a different context (we already know this works from setup)
ts.ucmd()
.arg("--context=unconfined_u:object_r:user_tmp_t:s0")
.arg(TEST_HELLO_WORLD_SOURCE)
.arg("context.txt")
.succeeds();
// 3. Using -Z (should use default type context)
ts.ucmd()
.arg("-Z")
.arg(TEST_HELLO_WORLD_SOURCE)
.arg("z_flag.txt")
.succeeds();
// 4. Using both -Z and --context (Z should win)
ts.ucmd()
.arg("-Z")
.arg("--context=unconfined_u:object_r:user_tmp_t:s0")
.arg(TEST_HELLO_WORLD_SOURCE)
.arg("z_and_context.txt")
.succeeds();
// 5. Using both -Z and --preserve=context (Z should win)
ts.ucmd()
.arg("-Z")
.arg("--preserve=context")
.arg(TEST_HELLO_WORLD_SOURCE)
.arg("z_and_preserve.txt")
.succeeds();
// Get all the contexts
let source_ctx = get_getfattr_output(&at.plus_as_string(TEST_HELLO_WORLD_SOURCE));
let preserve_ctx = get_getfattr_output(&at.plus_as_string("preserve.txt"));
let context_ctx = get_getfattr_output(&at.plus_as_string("context.txt"));
let z_ctx = get_getfattr_output(&at.plus_as_string("z_flag.txt"));
let z_and_context_ctx = get_getfattr_output(&at.plus_as_string("z_and_context.txt"));
let z_and_preserve_ctx = get_getfattr_output(&at.plus_as_string("z_and_preserve.txt"));
if source_ctx.is_empty() {
println!("Skipping test assertions: Failed to get SELinux contexts");
return;
}
assert_eq!(
source_ctx, preserve_ctx,
"--preserve=context should match the source context"
);
assert_eq!(
source_ctx, context_ctx,
"--preserve=context should match the source context"
);
assert_eq!(
z_ctx, z_and_context_ctx,
"-Z context should be the same regardless of --context"
);
assert_eq!(
z_ctx, z_and_preserve_ctx,
"-Z context should be the same regardless of --preserve=context"
);
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_selinux_empty_context() {
// This test verifies that --context without a value works like -Z
let ts = TestScenario::new(util_name!());
let at = &ts.fixtures;
at.write(TEST_HELLO_WORLD_SOURCE, "test content");
// Try creating copies - if this fails, the system doesn't support SELinux properly
let z_result = ts
.ucmd()
.arg("-Z")
.arg(TEST_HELLO_WORLD_SOURCE)
.arg("z_flag.txt")
.run();
if !z_result.succeeded() {
println!("Skipping test: SELinux contexts not supported");
return;
}
// Now try with --context (no value)
let context_result = ts
.ucmd()
.arg("--context")
.arg(TEST_HELLO_WORLD_SOURCE)
.arg("empty_context.txt")
.run();
if !context_result.succeeded() {
println!("Skipping test: Empty context parameter not supported");
return;
}
let z_ctx = get_getfattr_output(&at.plus_as_string("z_flag.txt"));
let empty_ctx = get_getfattr_output(&at.plus_as_string("empty_context.txt"));
if !z_ctx.is_empty() && !empty_ctx.is_empty() {
assert_eq!(
z_ctx, empty_ctx,
"--context without a value should behave like -Z"
);
}
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_selinux_recursive() {
// Test SELinux context preservation in recursive directory copies
let ts = TestScenario::new(util_name!());
let at = &ts.fixtures;
at.mkdir("source_dir");
at.write("source_dir/file1.txt", "file1 content");
at.mkdir("source_dir/subdir");
at.write("source_dir/subdir/file2.txt", "file2 content");
let setup_result = ts
.ucmd()
.arg("--context=unconfined_u:object_r:user_tmp_t:s0")
.arg("source_dir/file1.txt")
.arg("source_dir/context_set.txt")
.run();
if !setup_result.succeeded() {
println!("Skipping test: System doesn't support setting SELinux contexts");
return;
}
ts.ucmd()
.arg("-rZ")
.arg("source_dir")
.arg("dest_dir_z")
.succeeds();
ts.ucmd()
.arg("-r")
.arg("--preserve=context")
.arg("source_dir")
.arg("dest_dir_preserve")
.succeeds();
let z_dir_ctx = get_getfattr_output(&at.plus_as_string("dest_dir_z"));
let preserve_dir_ctx = get_getfattr_output(&at.plus_as_string("dest_dir_preserve"));
if !z_dir_ctx.is_empty() && !preserve_dir_ctx.is_empty() {
assert!(
z_dir_ctx.contains("_u:"),
"SELinux contexts not properly set with -Z flag"
);
assert!(
preserve_dir_ctx.contains("_u:"),
"SELinux contexts not properly preserved with --preserve=context"
);
}
}
#[test]
#[cfg(feature = "feat_selinux")]
fn test_cp_preserve_context_root() {
use uutests::util::run_ucmd_as_root;
let scene = TestScenario::new(util_name!());
let at = &scene.fixtures;
let source_file = "c";
let dest_file = "e";
at.touch(source_file);
let context = "root:object_r:tmp_t:s0";
let chcon_result = std::process::Command::new("chcon")
.arg(context)
.arg(at.plus_as_string(source_file))
.status();
if !chcon_result.is_ok_and(|status| status.success()) {
println!("Skipping test: Failed to set context: {}", context);
return;
}
// Copy the file with preserved context
// Only works as root
if let Ok(result) = run_ucmd_as_root(&scene, &["--preserve=context", source_file, dest_file]) {
let src_ctx = get_getfattr_output(&at.plus_as_string(source_file));
let dest_ctx = get_getfattr_output(&at.plus_as_string(dest_file));
println!("Source context: {}", src_ctx);
println!("Destination context: {}", dest_ctx);
if !result.succeeded() {
println!("Skipping test: Failed to copy with preserved context");
return;
}
let dest_context = get_getfattr_output(&at.plus_as_string(dest_file));
assert!(
dest_context.contains("root:object_r:tmp_t"),
"Expected context '{}' not found in destination context: '{}'",
context,
dest_context
);
} else {
print!("Test skipped; requires root user");
}
}