[systemd-devel] Where to put unix sockets while SELinux enforces on init_t?
Mantas Mikulėnas
grawity at gmail.com
Sun Jan 30 11:01:03 UTC 2022
On Sun, Jan 30, 2022 at 12:47 AM Daniel Farina <daniel at fdr.io> wrote:
> I am using SELinux enforced AlmaLinux, and am wondering where the
> customary place to put a ListenStream directive that is opening a unix
> socket should be.
>
> Old-school customarily, /tmp suffices, but SELinux blocks that: "init_t"
> is not allowed to create the socket there.
>
> Looking through definitions, /var/run/systemd is a place that systemd can
> create unix socket files, and indeed my prototype using this works, but I'm
> not sure if this is where they "belong."
>
> Does anyone have an opinion on this?
>
I'm not familiar with SELinux defaults, but the standard location for
sockets has long been [/var]/run (with /run being the preferred spelling on
Linux nowadays), and currently systemd has already been creating lots of
sockets under /run in general – on my system I see /run/rpcbind.sock,
/run/dmeventd-client, /run/avahi-daemon/socket, all of them created by pid1
through .socket units (see `systemctl list-sockets`) and not by the actual
daemons themselves. This makes me assume that on distros with SELinux, the
default policy would just allow systemd to do that.
--
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220130/87a81fb0/attachment-0001.htm>
More information about the systemd-devel
mailing list