Howto: Proper SELinux context for systemd-units in /etc/systemd/system
Hi, I'm trying to make some custom systemd units in /etc/systemd/system work with SELinux, but SELinux is preventing access to the executables called from the service files (/usr/sbin/logrotate in my specific case):
- the logrotate.service unit is prevented from read, open, execute, and executenotrans access to /usr/sbin/logrotate
- subsequently, /usr/sbin/logrotate is prevented from everything it needs to do
With a custom policy module that allows access to /usr/sbin/logrotate:
module logrotate-systemd 1.0;
<snip>
#============= init_t ==============
allow init_t logrotate_exec_t:file { execute execute_no_trans open read };
allow init_t logrotate_exec_t:process { noatsecure transition };
#============= logrotate_exec_t ==============
allow logrotate_exec_t self:file entrypoint;
logrotate can be run (fixes (1)), but is again prevented from doing anything (2). Probably this is due to it being executed in the wrong context, so I've tried setting it manually using
SELinuxContext=SELinuxContext=system_u:object_r:logrotate_exec_t:s0
But this creates a constraints violation, at which point I'm concluding that I'm doing something wrong, because running services from the directory they are supposed to be run from can't be this complicated ...
I've checked the SELinux context of my service files, it's unconfined_u:object_r:systemd_unit_file_t:s0
, which is the default for files in that dir, so that seems to be OK.
I would have expected units running with the proper context from the proper dir to Just Work(TM). What am I doing wrong?