On Wed, 01.03.17 15:40, Ian Pilcher (arequipeno@xxxxxxxxx) wrote: > I am using systemd's RuntimeDirectory to create a directory for a > service. > > RuntimeDirectory=squoxy > > This causes systemd to create /run/squoxy before starting my service, > but I haven't been able to get the SELinux context set correctly on the > directory. > > I've set file context rules for both /run/squoxy and /var/run/squoxy: > > ^/var/run/squoxy(/.*)? all files system_u:object_r:squoxy_var_run_t:s0 > ^/run/squoxy(/.*)? all files system_u:object_r:squoxy_var_run_t:s0 > > And, indeed, restorecon will set the context of the directory to > squoxy_var_run_t. > > I've also added a type transition rule, attempting to get the correct > context applied automatically when systemd creates the directory: > > type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy"; > > But the directory is still being created as var_run_t: > > drwxr-xr-x. nobody nobody system_u:object_r:var_run_t:s0 /run/squoxy > > What am I doing wrong? Hmm, so the relevant code in systemd actually labels the dir after creating it after an selinux database lookup, so from our side all should be good: https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857 (specifically, we all mkdir_p_label() instead of plain mkdir_p() there) My own understanding of SELinux is finite however. I'd recommend pinging the SELinux folks for help on this, Lennart -- Lennart Poettering, Red Hat _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
