What's the init.d script look like for this service? If you can prefix
the /usr/bin/sh command with runcon -t myapp_t --, then it should also
run in myapp_t. But you'll then need to allow myapp_t shell_exec_t:file
entrypoint in your policy. Is the only domain transition into myapp_t
from initrc_t?
Hi Stephen,
We're using Centos7 and systemd. I guess we can still throw a runcon in
there. We used the system-config-selinux tool to generate the base
policy module but the rules it creates are a bit opaque to me.
I think this is the interface that allows initd_t(systemd) to transition
our app into its domain. I'm a little unsure how I should be making a
new entrypoint.
interface(`myapp_domtrans',`
gen_require(`
type myapp_t, myapp_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, myapp_exec_t, myapp_t)
')
# /usr/lib/systemd/system/myapp.service
[Unit]
Description=MyAPP
After=network.target
[Service]
User=myapp
Group=myapp
ExecStart=/usr/bin/sh -c 'source /var/lib/myapp/env/bin/activate &&
gunicorn --bind 0.0.0.0:8080 --debug --reload wsgi:app'
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
