> On 02.10.2021, at 13:49, hw <hw at gc-24.de> wrote: > > > I'm trying to a lable a directory for ejabberd to store files > that were uploaded with the http_upload module. Apparently > I should set this to 'system_u:object_r:ejabberd_var_lib_t:s0' > since all the files in /var/lib/ejabberd are. So: > > > ls -laZ /srv/data/ > unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd > semanage fcontext -a -t ejabberd_var_lib_t -s system_u '/srv/data/ejabberd(/.*)?' > restorecon -R /srv/data/ejabberd/ > ls -laZ /srv/data/ > unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd First you could try to create files manually in /srv/data/ejabberd and verify if the files are correctly labeled, but above looks good to me. Something like # touch /srv/data/ejabberd/… If that works, it could be the httpd_upload module that causes wrong labels Just a shot in the dark: Maybe the http_upload module does move the file from a temporary location to /srv/data/ejabberd/ and the label from tmpdir is preserved? I try to demonstrate what I mean (with httpd, not ejabberd): ``` # pwd /var/www/html # ls -Zd drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 # touch /tmp/a.html # touch /tmp/b.html # ls -Z /tmp/{a,b}.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/b.html # cp /tmp/a.html correct-1.html # mv -Z /tmp/a.html correct-2.html # mv /tmp/b.html incorrect.html # ls -Z -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-1.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-2.html -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 incorrect.html ``` With copy the destination label is as wanted. With mv you need to specify the -Z switch, otherwise the label is preserved. kind regards, markus