[CentOS] how to set a directory to system_u?

Sun Oct 3 08:11:18 UTC 2021
hw <hw at gc-24.de>

On Sat, 2021-10-02 at 15:12 +0200, Markus Falb wrote:
> 
> > On 02.10.2021, at 13:49, hw <hw at gc-24.de> wrote:
> > 
> > 
> > I'm trying to a lable a directory for ejabberd to store files
> > that were uploaded with the http_upload module.  Apparently
> > I should set this to 'system_u:object_r:ejabberd_var_lib_t:s0'
> > since all the files in /var/lib/ejabberd are.  So:
> > 
> > 
> > ls -laZ /srv/data/
> > unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd
> > semanage fcontext -a -t ejabberd_var_lib_t -s system_u '/srv/data/ejabberd(/.*)?'
> > restorecon -R /srv/data/ejabberd/
> > ls -laZ /srv/data/
> > unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd
> 
> First you could try to create files manually in /srv/data/ejabberd and
> verify if the files are correctly labeled, but above looks good to me.

Good idea!  It works:


touch /srv/data/ejabberd/test
ls -laZ /srv/data/ejabberd/
root     root     unconfined_u:object_r:ejabberd_var_lib_t:s0     0 Oct  3 09:57 test


What doesn't work is setting the directory to system_u.

> Something like
> 
> # touch /srv/data/ejabberd/…
> 
> If that works, it could be the httpd_upload module that causes wrong labels

The problem is that selinux prevents ejabberd/the module from creating files in
the directory in the first place because it doesn't have write access.  I either
need to create a selinux module that allows access which is less restrictive, or
I need to label the directory so that the default selinux permissions need no
change.

> Just a shot in the dark:
> 
> Maybe the http_upload module does move the file from a temporary location
> to /srv/data/ejabberd/ and the label from tmpdir is preserved?

Hm how could I tell if that's the case?  I'd have to check the source maybe.
If that's the case, that would be very bad because some temporary directory
may not have not enough space for the files that may be uploaded.  Having
enough space is the reason that I created the directory for uploads in the
first place.


> I try to demonstrate what I mean (with httpd, not ejabberd):
> 
> ```
> # pwd
> /var/www/html
> # ls -Zd
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0
> # touch /tmp/a.html
> # touch /tmp/b.html
> # ls -Z /tmp/{a,b}.html
> -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.html
> -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/b.html
> # cp /tmp/a.html correct-1.html
> # mv -Z /tmp/a.html correct-2.html
> # mv /tmp/b.html incorrect.html
> # ls -Z
> -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-1.html
> -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-2.html
> -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 incorrect.html
> ```
> 
> With copy the destination label is as wanted.
> With mv you need to specify the -Z switch, otherwise the label is preserved.

Hm, good to know.  It's odd that mv doesn't do that by default since it keeps
everytihng else.

However, ejabberd says in it's log file:


[error] [...] Cannot store file [...] from [...] permission denied


At least it looks as if ejabberd tries to save the file right where it should but
can't.

So why and how can't and can I set the directory to system_u?  Since there are
directories labled as that, there has to be way to do that.