I am using CentOS 7.3 with stunnel. If I launch stunnel like that :
stunnel /etc/stunnel/stunnel.conf Everything works fine !
I would like to manage stunnel with systemd. Here is my stunnel.service :
[Unit] Description=SSL tunnel for network daemons Documentation=man:stunnel https://www.stunnel.org/docs.html DefaultDependencies=no After=network.target After=syslog.target [Install] WantedBy=multi-user.target Alias=stunnel.target [Service] Type=forking EnvironmentFile=-/etc/stunnel/stunnel.conf ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf ExecStop=/usr/bin/killall -9 stunnel RemainAfterExit=yes And my stunnel.conf :
cert = /etc/stunnel/ssl/stunnel.crt chroot = /var/chroot/stunnel setuid = stunnel setgid = stunnel pid = /stunnel.pid [https] accept = 443 connect = 80 The problem is : If the chroot is /var/chroot/stunnel (directory and permissions are OK!) SELinux block the creation of the PID when I do :
systemctl start stunnel In my /var/log/secure I have got :
Feb 20 15:12:11 kickstart stunnel: LOG3[2505:140354907637824]: Cannot create pid file /stunnel.pid Feb 20 15:12:11 kickstart stunnel: LOG3[2505:140354907637824]: create: Permission denied (13) If I change the CHROOT directory with /var/run/stunnel/ it works ! SELinux don't block the creation of stunnel PID. But, if I reboot, the /var/run/stunnel directory is drop!
What is the best way to manage stunnel with systemd withoud disable SELinux ? Maybe change some SELinux configurations ?
Thank you,
[Service] Type=forking #PrivateTmp=yes EnvironmentFile=-/etc/stunnel/stunnel.conf #PermissionsStartOnly=true ExecStartPre=-/usr/bin/mkdir /var/run/stunnel ExecStartPre=/usr/bin/chown -R stunnel:stunnel /var/run/stunnel/ ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf #ExecStop=/usr/bin/kill/usr/bin/cat /var/run/stunnel/stunnel.pid` RemainAfterExit=yes `