Re: how to set a directory to system_u?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




> On 02.10.2021, at 13:49, hw <hw@xxxxxxxx> wrote:
> 
> 
> I'm trying to a lable a directory for ejabberd to store files
> that were uploaded with the http_upload module.  Apparently
> I should set this to 'system_u:object_r:ejabberd_var_lib_t:s0'
> since all the files in /var/lib/ejabberd are.  So:
> 
> 
> ls -laZ /srv/data/
> unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd
> semanage fcontext -a -t ejabberd_var_lib_t -s system_u '/srv/data/ejabberd(/.*)?'
> restorecon -R /srv/data/ejabberd/
> ls -laZ /srv/data/
> unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd

First you could try to create files manually in /srv/data/ejabberd and
verify if the files are correctly labeled, but above looks good to me.
Something like

# touch /srv/data/ejabberd/…

If that works, it could be the httpd_upload module that causes wrong labels

Just a shot in the dark:

Maybe the http_upload module does move the file from a temporary location
to /srv/data/ejabberd/ and the label from tmpdir is preserved?

I try to demonstrate what I mean (with httpd, not ejabberd):

```
# pwd
/var/www/html
# ls -Zd
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0
# touch /tmp/a.html
# touch /tmp/b.html
# ls -Z /tmp/{a,b}.html
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.html
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/b.html
# cp /tmp/a.html correct-1.html
# mv -Z /tmp/a.html correct-2.html
# mv /tmp/b.html incorrect.html
# ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-2.html
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 incorrect.html
```

With copy the destination label is as wanted.
With mv you need to specify the -Z switch, otherwise the label is preserved.

kind regards, markus

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux