I am using CentOS 7.3 with stunnel. If I launch stunnel like that :
stunnel /etc/stunnel/stunnel.conf
Everything works fine !
I would like to manage stunnel with systemd. Here is my stunnel.service :
[Unit]
Description=SSL tunnel for network daemons
Documentation=man:stunnel https://www.stunnel.org/docs.html
DefaultDependencies=no
After=network.target
After=syslog.target
[Install]
WantedBy=multi-user.target
Alias=stunnel.target
[Service]
Type=forking
EnvironmentFile=-/etc/stunnel/stunnel.conf
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
ExecStop=/usr/bin/killall -9 stunnel
RemainAfterExit=yes
And my stunnel.conf :
cert = /etc/stunnel/ssl/stunnel.crt
chroot = /var/chroot/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid
[https]
accept = 443
connect = 80
The problem is :
If the chroot is /var/chroot/stunnel (directory and permissions are OK!) SELinux block the creation of the PID when I do :
systemctl start stunnel
In my /var/log/secure I have got :
Feb 20 15:12:11 kickstart stunnel: LOG3[2505:140354907637824]: Cannot create pid file /stunnel.pid
Feb 20 15:12:11 kickstart stunnel: LOG3[2505:140354907637824]: create: Permission denied (13)
If I change the CHROOT directory with /var/run/stunnel/ it works ! SELinux don't block the creation of stunnel PID. But, if I reboot, the /var/run/stunnel directory is drop!
What is the best way to manage stunnel with systemd withoud disable SELinux ?
Maybe change some SELinux configurations ?
Thank you,
Best Answer
You should add
RuntimeDirectory=stunnel
to the "Service" section of your service file. This will create the directory for you.