How To Set A Directory To System_u?
Hi,
I’m trying to a lable a directory for ejabberd to store files that were uploaded with the http_upload module. Apparently I should set this to ‘system_u:object_r:ejabberd_var_lib_t:s0’
since all the files in /var/lib/ejabberd are. So:
ls -laZ /srv/data/
unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd semanage fcontext -a -t ejabberd_var_lib_t -s system_u ‘/srv/data/ejabberd(/.*)?’
restorecon -R /srv/data/ejabberd/
ls -laZ /srv/data/
unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd
Why doesn’t this work? Why can’t they finally write some decent tool to use selinux that allows us to keep it enabled???
How can I set up the directory for ejabberd to store files in?
4 thoughts on - How To Set A Directory To System_u?
First you could try to create files manually in /srv/data/ejabberd and verify if the files are correctly labeled, but above looks good to me. Something like
# touch /srv/data/ejabberd/…
If that works, it could be the httpd_upload module that causes wrong labels
Just a shot in the dark:
Maybe the http_upload module does move the file from a temporary location to /srv/data/ejabberd/ and the label from tmpdir is preserved?
I try to demonstrate what I mean (with httpd, not ejabberd):
“`
# pwd
/var/www/html
# ls -Zd drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0
# touch /tmp/a.html
# touch /tmp/b.html
# ls -Z /tmp/{a,b}.html
-rw-r–r–. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.html
-rw-r–r–. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/b.html
# cp /tmp/a.html correct-1.html
# mv -Z /tmp/a.html correct-2.html
# mv /tmp/b.html incorrect.html
# ls -Z
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-1.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 correct-2.html
-rw-r–r–. root root unconfined_u:object_r:user_tmp_t:s0 incorrect.html
“`
With copy the destination label is as wanted. With mv you need to specify the -Z switch, otherwise the label is preserved.
kind regards, markus
Good idea! It works:
touch /srv/data/ejabberd/test ls -laZ /srv/data/ejabberd/
root root unconfined_u:object_r:ejabberd_var_lib_t:s0 0 Oct 3 09:57 test
What doesn’t work is setting the directory to system_u.
The problem is that selinux prevents ejabberd/the module from creating files in the directory in the first place because it doesn’t have write access. I either need to create a selinux module that allows access which is less restrictive, or I need to label the directory so that the default selinux permissions need no change.
Hm how could I tell if that’s the case? I’d have to check the source maybe. If that’s the case, that would be very bad because some temporary directory may not have not enough space for the files that may be uploaded. Having enough space is the reason that I created the directory for uploads in the first place.
Hm, good to know. It’s odd that mv doesn’t do that by default since it keeps everytihng else.
However, ejabberd says in it’s log file:
[error] […] Cannot store file […] from […] permission denied
At least it looks as if ejabberd tries to save the file right where it should but can’t.
So why and how can’t and can I set the directory to system_u? Since there are directories labled as that, there has to be way to do that.
What about
semanage fcontext ??
see “man semanage-fcontext”
peter
Am 02.10.21 um 13:49 schrieb hw:
you are sure that selinux is causing this?
you do have an AVC?
try -F
“`
# restorecon -RF /srv/data/ejabberd/
“`
or the manual way
“`
# chcon -R -u system_u /srv/data/ejabberd/
“`
best regards, markus