SELinux – How to Create SELinux Context for Systemd Script

fedoraredhatrhel8selinuxsystemd

I'm trying to create a systemd service that executes a custom script I wrote. It is just a backup script that I am using with a systemd timer. When I try to execute something simple in the systemd file like "/usr/bin/free" or something like that, it works perfectly. However when I try to execute my script "/root/scripts/mybackupscript.sh", it fails with:

Main process exited, code=exited, status=203/EXEC

If I set selinux to permissive, it will start my script with no problem.

So I know that selinux is restricting systemd from executing my script. But I don't know how to use selinux. How do I create an selinux context to allow systemd to execute my script?

Example:
This systemd file runs no problem:

[Unit]
Description=Logs system statistics to the systemd journal
Wants=myMonitor.timer

[Service]
Type=oneshot
ExecStart=/usr/bin/free

[Install]
WantedBy=multi-user.target

But this script fails (unless if I set selinux to permissive, in which case it executes fine):

[Unit]
Description=Logs system statistics to the systemd journal
Wants=myMonitor.timer

[Service]
Type=oneshot
ExecStart=/root/scripts/mybackupscript.sh

[Install]
WantedBy=multi-user.target

Any ideas would be appreciated. Thanks!

Best Answer

Move your script out of the user's home directory. SELinux rightly complains about trying to execute system services located in users' home directories.

Use a more standard location, such as /usr/local/bin:

install -m755 /root/scripts/mybackupscript.sh /usr/local/bin

And of course edit the unit file to match.

ExecStart=/usr/local/bin/mybackupscript.sh

Related Solutions

Systemd – How to Set Environment Variable in Service

Times change and so do best practices.

The current best way to do this is to run systemctl edit myservice, which will create an override file for you or let you edit an existing one.

In normal installations this will create a directory /etc/systemd/system/myservice.service.d, and inside that directory create a file whose name ends in .conf (typically, override.conf), and in this file you can add to or override any part of the unit shipped by the distribution.

For instance, in a file /etc/systemd/system/myservice.service.d/myenv.conf:

[Service]
Environment="SECRET=pGNqduRFkB4K9C2vijOmUDa2kPtUhArN"
Environment="ANOTHER_SECRET=JP8YLOc2bsNlrGuD6LVTq7L36obpjzxd"

Also note that if the directory exists and is empty, your service will be disabled! If you don't intend to put something in the directory, ensure that it does not exist.

For reference, the old way was:

The recommended way to do this is to create a file /etc/sysconfig/myservice which contains your variables, and then load them with EnvironmentFile.

For complete details, see Fedora's documentation on how to write a systemd script.

How to disable SELINUX for systemd script

You could run that process as unconfined so it would have the same rights as if SELinux was disabled.

# This will setup the executable to be unconfined. Temporarily
chcon -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade
# This command will make that permanent
semanage fcontext -a -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade

You can read more about unconfined processes in Red Hat documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html

Related Topic