Copying, Moving, and Archiving Files with SELinux Contexts
RHEL Linux attaches SELinux security contexts with all default files and directories. Creating a new file or directory inherits the SELinux security contexts from its parent directory. However, instead of creating a new file, if we move, copy, archive, or extract an archive, it uses specific rules to label SELinux contexts to the copied, transferred, or extracted file. This tutorial explains these rules.
Copying files with SELinux contexts
A file gets its SELinux contexts from its parent's directory. If we copy a file in the same directory, it gets the same SELinux contexts as the source, and the destination files have the same parent directory. However, if we copy the file to a different directory, the copied file gets its SELinux contexts from the destination directory.
Exercise
- Create a file and check its SELinux contexts.
- Copy the file in the same directory and a different directory.
- Check SELinux contexts of copied files in both directories.
#touch testfile #ls -lZ testfile #cp testfile testfile1 #ls -lZ testfile* #cp testfile /var/www/html/ #ls -lZ /var/www/html/testfile

Preserving SELinux contexts
The --preserve=context argument preserves SELinux context while copying, moving, and archiving the file.
Exercise
- Create a file and note down its SELinux contexts.
- Copy this file to a new directory.
- Use the --preserve=context argument with the cp command.
- Check the SELinux contexts of the copied file.
#touch testfile2 #ls -lZ testfile2 #cp testfile2 --preserve=context /var/www/html/ #ls -lZ /var/www/html/testfile2

If the copy operation overwrites the destination file, the new file gets the SELinux context of the existing file.

To preserve the context of the source file, use the --preserve=context argument with the cp command.

Moving files with SELinux contexts
Moving a file does not affect its SELinux contexts. No matter which directory we move it to, its SELinux contexts remain the same.
Exercise
- Create two files and check their security contexts
- Move the first file to the same directory with a different name
- Move the second file to a different directory
- Check the SELinux contexts of both files
#touch testfile7 #touch testfile8 #ls -lZ testfile* #mv testfile7 testfile9 #ls -lZ testfile9 #mv testfile8 /var/www/html/ #ls -lZ /var/www/html/testfile8

Since the move operation does not affect the SELinux contexts, you do not need to use the --preserve=context argument with it to keep the original SELinux contexts.
Archiving files with SELinux contexts
By default, the archive operation does not preserve the SELinux contexts. When we extract an archived file, the extracted files get SELinux contexts from their parent directory. The --selinux option preserves the SELinux contexts.
Exercise
- Create two test files and check their SELinux contexts.
- Create a directory on another partition.
- Create an archive file and add the first file to it.
- Create another archive file and add the second file to it.
- When adding the second file to the archive, use the --selinux option.
- Change the current directory to the test directory.
- Extract both archive files.
- Use the --selinux option when extracting the second archive file.
#touch testfile10 #ls -lZ testfile10 #mkdir /testdir/ #touch /testdir/file1 #tar -cvf /testdir/testarchive.tar testfile10 #cd /testdir #ls -lZ #tar -xvf testarchive.tar #ls -lZ #cd

#touch testfile11 #ls -lZ testfile11 #tar --selinux -cvf /testdir/testarchive1.tar testfile11 #cd /testdir #ls -lZ #tar --selinux -xvf testarchive1.tar #ls -lZ #cd

Key points:-
- A file or directory gets its SELinux contexts from its parent directory.
- Copying, moving, and archiving affect SELinux contexts differently.
- When we copy a file, the copied file gets its context from the directory where we place it.
- The --preserve=context argument preserves contexts during the copy operation. If we use it, the copied file gets its context from the source rather than the destination directory.
- When we move a file, its context remains the same.
- When we archive files, the archive utility removes contexts. It adds them back based on the destination directory when we extract the archived file.
- The --selinux option preserves contexts during the archive and extract operations.
This tutorial is part of the tutorial " SELinux Explained with Examples.". Other parts of this tutorial are as follows:
Chapter 1 Basic concepts and fundamentals of SELinux
Chapter 2 SELinux and AppArmor Differences and Terminology
Chapter 3 SELinux Modes Explained with Examples
Chapter 4 SELinux Contexts for Users, Processes, and Files
Chapter 5 Copying, Moving, and Archiving Files with SELinux Contexts
Chapter 6 SELinux Explained with Examples in Easy Language
Chapter 7 SELinux Booleans Explained with Examples
Chapter 8 Troubleshooting SELinux explained with Booleans
Conclusion
SELinux is a security feature. It adds security contexts to all files and directories. Copy, move, and archive are standard file operations. These operations affect SELinux contexts differently. This tutorial explained how SELinux contexts work with these operations.
Author Laxmi Goswami Updated on 2026-02-09