6

I have a systemd script in CentOS 7 which doesn't run properly unless I disable SELINUX. Is it possible to somehow have SELINUX enabled on the system but disable it only for this systemd script?

The systemd script:

[Unit] Description=Tractor Blade Service Wants=network.target network-online.target autofs.service After=network.target network-online.target autofs.service RequiresMountsFor=/101.102.103.104/pipeline/ [Service] Type=simple User=IRUser ExecStart=/opt/pixar/Tractor-2.1/bin/tractor-blade --debug --log /101.102.103.104/pipeline/logs/tractor/tractor-blade-%H.log --engine=111.222.333.444 --supersede --pidfile=/var/run/tractor-blade.pid [Install] WantedBy=multi-user.target
Improve this question
3
  • To clarify your question, do you want SELINUX to work but not with this specific script or you want to disable SELINUX when you launch this script ? Commented Jun 18, 2015 at 8:36
  • I'd like to have SELINUX work, but not with this specific script. Commented Jun 18, 2015 at 8:37
  • This looks like a third party program. Did it come with an SELinux policy? Commented Jun 18, 2015 at 15:12

3 Answers 3

Reset to default
5

You could run that process as unconfined so it would have the same rights as if SELinux was disabled.

# This will setup the executable to be unconfined. Temporarily chcon -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade # This command will make that permanent semanage fcontext -a -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade

You can read more about Unconfined Processes in Red Hat documentation

Improve this answer
-2

Try to use the semanage fcontext command

semanage fcontext -a -t <YourLabel> -f f <YourPath> should work.

-a = add a record for the fcontext object type

-t = SELinux type for the object

-f = file type

Improve this answer
1
  • 2
    This doesn't really explain how to accomplish anything. Commented Mar 5, 2017 at 0:09
-3

Security-Enhanced_Linux-Systemd_Access_Control (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Systemd_Access_Control.html)

Also you can update selinux status as permissive
setenforce 0
getenforce or sestatus

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.