On Sat, 2021-10-02 at 15:12 +0200, Markus Falb wrote:
On 02.10.2021, at 13:49, hw hw@gc-24.de wrote:
I'm trying to a lable a directory for ejabberd to store files that were uploaded with the http_upload module. Apparently I should set this to 'system_u:object_r:ejabberd_var_lib_t:s0' since all the files in /var/lib/ejabberd are. So:
ls -laZ /srv/data/ unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd semanage fcontext -a -t ejabberd_var_lib_t -s system_u '/srv/data/ejabberd(/.*)?' restorecon -R /srv/data/ejabberd/ ls -laZ /srv/data/ unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd
First you could try to create files manually in /srv/data/ejabberd and verify if the files are correctly labeled, but above looks good to me.
Good idea! It works:
touch /srv/data/ejabberd/test ls -laZ /srv/data/ejabberd/ root root unconfined_u:object_r:ejabberd_var_lib_t:s0 0 Oct 3 09:57 test
What doesn't work is setting the directory to system_u.
Something like
# touch /srv/data/ejabberd/…
If that works, it could be the httpd_upload module that causes wrong labels
The problem is that selinux prevents ejabberd/the module from creating files in the directory in the first place because it doesn't have write access. I either need to create a selinux module that allows access which is less restrictive, or I need to label the directory so that the default selinux permissions need no change.
Just a shot in the dark:
Maybe the http_upload module does move the file from a temporary location to /srv/data/ejabberd/ and the label from tmpdir is preserved?
Hm how could I tell if that's the case? I'd have to check the source maybe. If that's the case, that would be very bad because some temporary directory may not have not enough space for the files that may be uploaded. Having enough space is the reason that I created the directory for uploads in the first place.
I try to demonstrate what I mean (with httpd, not ejabberd):
# pwd /var/www/html # ls -Zd drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 # touch /tmp/a.html # touch /tmp/b.html # ls -Z /tmp/{a,b}.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/b.html # cp /tmp/a.html correct-1.html # mv -Z /tmp/a.html correct-2.html # mv /tmp/b.html incorrect.html # ls -Z -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-1.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-2.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 incorrect.html
With copy the destination label is as wanted. With mv you need to specify the -Z switch, otherwise the label is preserved.
Hm, good to know. It's odd that mv doesn't do that by default since it keeps everytihng else.
However, ejabberd says in it's log file:
[error] [...] Cannot store file [...] from [...] permission denied
At least it looks as if ejabberd tries to save the file right where it should but can't.
So why and how can't and can I set the directory to system_u? Since there are directories labled as that, there has to be way to do that.