5

I have a systemd script in CentOS 7 which doesn't run properly unless I disable SELINUX. Is it possible to somehow have SELINUX enabled on the system but disable it only for this systemd script?

The systemd script:

[Unit]
Description=Tractor Blade Service
Wants=network.target network-online.target autofs.service
After=network.target network-online.target autofs.service
RequiresMountsFor=/101.102.103.104/pipeline/

[Service]
Type=simple
User=IRUser
ExecStart=/opt/pixar/Tractor-2.1/bin/tractor-blade --debug --log /101.102.103.104/pipeline/logs/tractor/tractor-blade-%H.log --engine=111.222.333.444 --supersede --pidfile=/var/run/tractor-blade.pid

[Install]
WantedBy=multi-user.target
fredrik
  • 731
  • 15
  • 20

3 Answers3

3

You could run that process as unconfined so it would have the same rights as if SELinux was disabled.

# This will setup the executable to be unconfined. Temporarily
chcon -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade
# This command will make that permanent
semanage fcontext -a -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade

You can read more about unconfined processes in Red Hat documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html

Pablo Martinez
  • 2,406
  • 17
  • 13
-1

Try to use the semanage fcontext command

semanage fcontext -a -t <YourLabel> -f f <YourPath> should work.

-a = add a record for the fcontext object type

-t = SELinux type for the object

-f = file type

NooJ
  • 194
  • 1
  • 2
  • 13
-2

Security-Enhanced_Linux-Systemd_Access_Control (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Systemd_Access_Control.html)

Also you can update selinux status as permissive
setenforce 0
getenforce or sestatus

chetangb
  • 145
  • 6