Default SELinux context for seafile-server-*/seahub folder


#1

Hi! I installed seafile server 6.3.4 on CentOS 7. SELinux provide troubles.
So, I add tcp/8000 and tcp/8082 to http_port_t. Ok.

But I also change ‘httpd_sys_content_t’ on my seahub folder.

semanage fcontext -a -t httpd_sys_content_t ‘/homeseafile/seafile-server-6.3.4/seahub(/.*)?’
restorecon -Rv /homeseafile/seafile-server-6.3.4/seahub

But as I can see console listing, seahub directory has not ‘httpd_sys_content_t’ but ‘admin_home_t’.

That’s why I do it:

type=AVC msg=audit(1540328955.575:211): avc: denied { open } for pid=3231 comm="nginx" path="/homeseafile/seafile-server-6.3.4/seahub/media/assets/css/bootstrap.min.b00faad199b5.css" dev="dm-0" ino=258378 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

So, I ls dir /homeseafile/seafile-server-6.3.4/seahub/ and realized, that it is better to change context for whoole directory.

Now seafile works well, but…

Question: should I revert ‘admin_home_t’ context for seahub directory or not? All files in this dir was ‘admin_home_t’ or not?

Thank you for attention!


#2

In our installation (6.2.9pro and 6.3.11pro) the seahub directory has context type user_home_t, not admin_home_t. Instead of changing the file context of the whole seafile directory, I would prefer to set

setsebool -P httpd_enable_homedirs 1
setsebool -P httpd_read_user_content 1

There are no other users than the seafile user on our systems. So there shouldn’t be a security impact.