7

I am trying to change selinux context for upload directory to enable anonymous upload.

This is the Directory path /var/ftp/upload

This is the default context 

[root@server ftp]# ls -Z upload
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 upload

I tried this command to change the type of the directory 

[root@server ftp]# semanage fcontext -a -t public_content_rw_t upload

[root@server ftp]# restorecon -v upload

Its not changing, what is the mistake here ?

[root@server ftp]# ls -Z pub
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 upload
max
  • 3,893
  • 14
  • 53
  • 73

4 Answers4

6

The difference between semange and chcon is that chcon is "temporal" if the system gets relabel the contexts present in a file / directory will be lost, using semanage makes selinux contexts persistent.

In order to semanage to work, you must provide the full path to the file or directory, that is why semanage fcontext -a -t public_content_rw_t upload/ does not work but semanage fcontext -a -t public_content_rw_t "/var/ftp/upload(/.*)? does; restorecon does not require full path.

nighter
  • 71
  • 1
  • 3
  • 6
3

This is the default context

[root@server ftp]# ll -Zd upload/
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 upload/

I tried this command to change the context 

[root@server ftp]# semanage fcontext -a -t public_content_rw_t upload/
[root@server ftp]# ll -Zd upload/
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 upload/

[root@server ftp]# restorecon -R -v upload
[root@server ftp]# ll -Zd upload/
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 upload/

It's not working, but this command will write the context in /etc/selinux/targeted/contexts/files/file_contexts.local file

see here

# This file is auto-generated by libsemanage
# Do not edit directly.

upload/    system_u:object_r:public_content_rw_t:s0

Now I tried this command (Working Command)

[root@server ftp]# semanage fcontext -a -t public_content_rw_t "/var/ftp/upload(/.*)?"

[root@server ftp]# restorecon -R -v upload
restorecon reset /var/ftp/upload context unconfined_u:object_r:public_content_t:s0->unconfined_u:object_r:public_content_rw_t:s0

Now context is changed.
[root@server ftp]# ll -Zd upload/
drwxr-xr-x. root root unconfined_u:object_r:public_content_rw_t:s0 upload/

But I really don't no why it's working, see the difference in command.

I got the answer in the man page of man ftpd_selinux

semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
max
  • 3,893
  • 14
  • 53
  • 73
1

According to this page:

The file_contexts.local file stores contexts to newly created files and directories not found in file_contexts.

That's why you find the log message in file_contexts.local.

When changing the SELinux context with semanage fcontext -a, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the restorecon command is run.

This is the hint to use the full path for right relabeling.

Hawk Zhang
  • 41
  • 2
  • Which means you need to specify the absolute path instead of the relative path for semanage command. – silencej Sep 27 '20 at 06:50
-1

Try

chcon -t public_content_rw_t /var/ftp/upload

It will work.

Unnikrishnan
  • 1,307
  • 2
  • 12
  • 24
  • First of all it is not `chcon -R` , it should be `chcon -t` (for this particular example) and one more thing I think it is not the permanent method, now type `resorecon -v upload` and check it will change the context to default. – max Nov 04 '13 at 07:30