[systemd-devel] Credentials and SELinux - Am I missing something?

Tue, 23 Sep 2025 13:44:48 -0700 

I recently discovered systemd credentials, and I was excited to start
using them to pass private keys (for TLS certificates) into my stunnel
service.

 LoadCredential=ampersand.key:/etc/pki/tls/private/stunnel/ampersand.key
 LoadCredential=switch1.key:/etc/pki/tls/private/stunnel/switch1.key
 LoadCredential=switch2.key:/etc/pki/tls/private/stunnel/switch2.key
 LoadCredential=switch4.key:/etc/pki/tls/private/stunnel/switch4.key
 ExecStartPre=/usr/bin/mkdir -m 0700 /tmp/keys
ExecStartPre=/usr/bin/ln -s %d/ampersand.key %d/switch1.key %d/switch2.key %d/switch4.key /tmp/keys/ 

(The symlinks under /tmp/keys are needed, because stunnel doesn't
support any form of variable expansion in its configuration file.)

Unfortunately, I quickly discovered that this doesn't work, because the
SELinux context of the keys is lost when they are copied into the
/run/credentials directory.

This was discussed in this issue[1], but the issue was closed without
any real resolution.  (Giving a confined service access to everything
labeled var_run_t is most definitely not acceptable.)

Thus, I end up copying the keys (rather than symlinking them), so that I
can set the context.

 LoadCredential=ampersand.key:/etc/pki/tls/private/stunnel/ampersand.key
 LoadCredential=switch1.key:/etc/pki/tls/private/stunnel/switch1.key
 LoadCredential=switch2.key:/etc/pki/tls/private/stunnel/switch2.key
 LoadCredential=switch4.key:/etc/pki/tls/private/stunnel/switch4.key
ExecStartPre=/usr/bin/mkdir -m 0700 --context=system_u:object_r:cert_t:s0 /tmp/keys ExecStartPre=/usr/bin/cp %d/ampersand.key %d/switch1.key %d/switch2.key %d/switch4.key /tmp/keys/ 

However, it isn't clear what benefit systemd credentials are providing
at this point.  Without them, I can simply copy the files directly from
their original location, which is arguably simpler.
ExecStartPre=/usr/bin/mkdir -m 0700 --context=system_u:object_r:cert_t:s0 /tmp/keys 
 ExecStartPre=/usr/bin/cp \
         /etc/pki/tls/private/stunnel/ampersand.key \
         /etc/pki/tls/private/stunnel/switch1.key \
         /etc/pki/tls/private/stunnel/switch2.key \
         /etc/pki/tls/private/stunnel/switch4.key \
         /tmp/keys/

So the question is ... Am I missing something (or are systemd
credentials simply not useful on systems running SELinux)?

[1] https://github.com/systemd/systemd/issues/36369

--
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================

Reply via email to