Re: [systemd-devel] Where to put unix sockets while SELinux enforces on init_t?
On Sun, Jan 30, 2022 at 3:01 AM Mantas Mikulėnas wrote: > > On Sun, Jan 30, 2022 at 12:47 AM Daniel Farina wrote: >> >> I am using SELinux enforced AlmaLinux, and am wondering where the customary >> place to put a ListenStream directive that is opening a unix socket should >> be. >> >> Old-school customarily, /tmp suffices, but SELinux blocks that: "init_t" is >> not allowed to create the socket there. >> >> Looking through definitions, /var/run/systemd is a place that systemd can >> create unix socket files, and indeed my prototype using this works, but I'm >> not sure if this is where they "belong." >> >> Does anyone have an opinion on this? > > > I'm not familiar with SELinux defaults, but the standard location for sockets > has long been [/var]/run (with /run being the preferred spelling on Linux > nowadays), and currently systemd has already been creating lots of sockets > under /run in general – on my system I see /run/rpcbind.sock, > /run/dmeventd-client, /run/avahi-daemon/socket, all of them created by pid1 > through .socket units (see `systemctl list-sockets`) and not by the actual > daemons themselves. This makes me assume that on distros with SELinux, the > default policy would just allow systemd to do that. You were absolutely right. I knew about this directory and its customary use, but for some reason didn't think to try it out (I'm not yet an adept at reading the cumulative effect of SELinux policies) My particular application is the multi-processor adapted way to run PGBouncer (https://www.2ndquadrant.com/en/blog/running-multiple-pgbouncer-instances-with-systemd/). The packages even make a pgbouncer user-owned directory in /run/pgbouncer. Doing something like "ListenStream=/run/pgbouncer/.s.PGSQL.%i" works. Thanks, Daniel
Re: [systemd-devel] Where to put unix sockets while SELinux enforces on init_t?
On Sun, Jan 30, 2022 at 12:47 AM Daniel Farina wrote: > I am using SELinux enforced AlmaLinux, and am wondering where the > customary place to put a ListenStream directive that is opening a unix > socket should be. > > Old-school customarily, /tmp suffices, but SELinux blocks that: "init_t" > is not allowed to create the socket there. > > Looking through definitions, /var/run/systemd is a place that systemd can > create unix socket files, and indeed my prototype using this works, but I'm > not sure if this is where they "belong." > > Does anyone have an opinion on this? > I'm not familiar with SELinux defaults, but the standard location for sockets has long been [/var]/run (with /run being the preferred spelling on Linux nowadays), and currently systemd has already been creating lots of sockets under /run in general – on my system I see /run/rpcbind.sock, /run/dmeventd-client, /run/avahi-daemon/socket, all of them created by pid1 through .socket units (see `systemctl list-sockets`) and not by the actual daemons themselves. This makes me assume that on distros with SELinux, the default policy would just allow systemd to do that. -- Mantas Mikulėnas
Re: [systemd-devel] Where to put unix sockets while SELinux enforces on init_t?
On Sat, 29 Jan 2022 14:46:52 -0800 Daniel Farina wrote: > I am using SELinux enforced AlmaLinux, and am wondering where the customary > place to put a ListenStream directive that is opening a unix socket should > be. > > Old-school customarily, /tmp suffices, but SELinux blocks that: "init_t" is > not allowed to create the socket there. > > Looking through definitions, /var/run/systemd is a place that systemd can > create unix socket files, and indeed my prototype using this works, but I'm > not sure if this is where they "belong." > > Does anyone have an opinion on this? > > Thanks, > Daniel Use Linux abstract sockets where pathname is irrelevant?! It saves pain with SELinux. Lots of services use /run look at: ss -xa to see what is already there
[systemd-devel] Where to put unix sockets while SELinux enforces on init_t?
I am using SELinux enforced AlmaLinux, and am wondering where the customary place to put a ListenStream directive that is opening a unix socket should be. Old-school customarily, /tmp suffices, but SELinux blocks that: "init_t" is not allowed to create the socket there. Looking through definitions, /var/run/systemd is a place that systemd can create unix socket files, and indeed my prototype using this works, but I'm not sure if this is where they "belong." Does anyone have an opinion on this? Thanks, Daniel