> On 02.10.2021, at 13:49, hw <hw at gc-24.de> wrote:
>
>
> I'm trying to a lable a directory for ejabberd to store files
> that were uploaded with the http_upload module. Apparently
> I should set this to 'system_u:object_r:ejabberd_var_lib_t:s0'
> since all the files in /var/lib/ejabberd are. So:
>
>
> ls -laZ /srv/data/
> unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd
> semanage fcontext -a -t ejabberd_var_lib_t -s system_u
'/srv/data/ejabberd(/.*)?'
> restorecon -R /srv/data/ejabberd/
> ls -laZ /srv/data/
> unconfined_u:object_r:ejabberd_var_lib_t:s0 320 Jul 29 23:55 ejabberd
First you could try to create files manually in /srv/data/ejabberd and
verify if the files are correctly labeled, but above looks good to me.
Something like
# touch /srv/data/ejabberd/?
If that works, it could be the httpd_upload module that causes wrong labels
Just a shot in the dark:
Maybe the http_upload module does move the file from a temporary location
to /srv/data/ejabberd/ and the label from tmpdir is preserved?
I try to demonstrate what I mean (with httpd, not ejabberd):
```
# pwd
/var/www/html
# ls -Zd
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0
# touch /tmp/a.html
# touch /tmp/b.html
# ls -Z /tmp/{a,b}.html
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.html
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/b.html
# cp /tmp/a.html correct-1.html
# mv -Z /tmp/a.html correct-2.html
# mv /tmp/b.html incorrect.html
# ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
correct-1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
correct-2.html
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 incorrect.html
```
With copy the destination label is as wanted.
With mv you need to specify the -Z switch, otherwise the label is preserved.
kind regards, markus