selinux and systemd

Posted on

You see the reason people turn off selinux is because basic stuff just doesn't work and then it becomes a nightmare to get it working.

So in this case I should be able to use systemd to create a FIFO to STDIN in a unit file. It's the "approved" systemd way of dealing with stuff that does not properly demonize itself. As opposed to running it in a screen/tmux. See "man systemd.socket"

So assume I have created a unit file /etc/systemd/system/test.service with a lines like Sockets=test.socket and StandardInput=socket along with a corresponding /etc/systemd/system/test.socket with a line like ListenFIFO=%t/test.stdin then when you try and start the service you get the following in /var/log/audit/audit.log

type=AVC msg=audit(1654770013.102:894): avc:  denied  { read write } for  pid=1 comm="systemd" name="test.stdin" dev="tmpfs" ino=
7369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=fifo_file permissive=0

There is no boolean to enable systemd to write fifo's. It never ceases to amaze me that those responsible for selinux wonder why people just turn it off all the time. The reason is you can't get your act together and make the basic stuff work out the box.