On 02.10.2021, at 13:49, hw hw@gc-24.de wrote:
I'm trying to a lable a directory for ejabberd to store files that were uploaded with the http_upload module. Apparently I should set this to 'system_u:object_r:ejabberd_var_lib_t:s0' since all the files in /var/lib/ejabberd are. So:
ls -laZ /srv/data/ unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd semanage fcontext -a -t ejabberd_var_lib_t -s system_u '/srv/data/ejabberd(/.*)?' restorecon -R /srv/data/ejabberd/ ls -laZ /srv/data/ unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd
First you could try to create files manually in /srv/data/ejabberd and verify if the files are correctly labeled, but above looks good to me. Something like
# touch /srv/data/ejabberd/…
If that works, it could be the httpd_upload module that causes wrong labels
Just a shot in the dark:
Maybe the http_upload module does move the file from a temporary location to /srv/data/ejabberd/ and the label from tmpdir is preserved?
I try to demonstrate what I mean (with httpd, not ejabberd):
``` # pwd /var/www/html # ls -Zd drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 # touch /tmp/a.html # touch /tmp/b.html # ls -Z /tmp/{a,b}.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/b.html # cp /tmp/a.html correct-1.html # mv -Z /tmp/a.html correct-2.html # mv /tmp/b.html incorrect.html # ls -Z -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-1.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-2.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 incorrect.html ```
With copy the destination label is as wanted. With mv you need to specify the -Z switch, otherwise the label is preserved.
kind regards, markus