On Wed, Apr 29, 2020 at 3:25 PM Ian Pilcher <arequipeno@xxxxxxxxx> wrote: > > On 4/29/20 1:02 PM, Ian Pilcher wrote: > > That would undoubtedly be painful! For now, I've modified my systemd > > service file to make a copy of the Python executable with the required > > context, i.e.: > > > > [Service] > > Type=simple > > PrivateTmp=true > > ExecStartPre=/usr/bin/cp /usr/bin/python2 /tmp/python.denatc > > ExecStartPre=/usr/bin/chcon -t denatc_exec_t /tmp/python.denatc > > ExecStart=/tmp/python.denatc /usr/local/bin/denatc -d > > ExecStartPost=/usr/bin/rm /tmp/python.denatc > > Slight update for posterity. It looks like it's possible to use a > symbolic link, so ... > > [Service] > Type=simple > PrivateTmp=true > ExecStartPre=/usr/bin/ln -s /usr/bin/python2 /tmp/python.denatc > ExecStartPre=/usr/bin/chcon --reference=/usr/local/bin/denatc > --no-dereference /tmp/python.denatc > ExecStart=/tmp/python.denatc /usr/local/bin/denatc -d I don't see how that could work. Symbolic link should be resolved and its context only ever used to determine whether you could follow/read it. Not for the execute check.
