On 4/29/20 1:02 PM, Ian Pilcher wrote:
That would undoubtedly be painful! For now, I've modified my systemd
service file to make a copy of the Python executable with the required
context, i.e.:
[Service]
Type=simple
PrivateTmp=true
ExecStartPre=/usr/bin/cp /usr/bin/python2 /tmp/python.denatc
ExecStartPre=/usr/bin/chcon -t denatc_exec_t /tmp/python.denatc
ExecStart=/tmp/python.denatc /usr/local/bin/denatc -d
ExecStartPost=/usr/bin/rm /tmp/python.denatc
Slight update for posterity. It looks like it's possible to use a
symbolic link, so ...
[Service]
Type=simple
PrivateTmp=true
ExecStartPre=/usr/bin/ln -s /usr/bin/python2 /tmp/python.denatc
ExecStartPre=/usr/bin/chcon --reference=/usr/local/bin/denatc
--no-dereference /tmp/python.denatc
ExecStart=/tmp/python.denatc /usr/local/bin/denatc -d
(Deleting the copy of the interpreter seems to be racy, so it's
probably best to rely on systemd to delete the whole private temporary
directory.)
--
========================================================================
Ian Pilcher arequipeno@xxxxxxxxx
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
