Without the wrapper script the SELinux transitions work as expected and the BOINC client runs confined. My working systemd unit file is attached.Įither the package or the unit file would need to set up the symbolic links. The BOINC client does not have a PID file option but systemd guesses the PID accurately. This changes the unit file service type from simple to forking. These are symbolic links to files in /var/log. In daemon mode stderr and stdout are written to files in the working directory, /var/lib/boinc/. One alternative that I currently use is to run the BOINC client in daemon mode (forking) directly from the systemd unit file. It's function is to redirect detailed logging from BOINC to log files under /var/log. The problem is the wrapper script, /usr/bin/boinc. Version-Release number of selected component (if applicable):
The result is that the service process runs as unconfined_service_t rather than boinc_t, as intended. Unit (boinc_unit_file_t) and binary (boinc_exec_t) files are both correctly tagged but the bash wrapper has default context (bin_t). Rather than run the client service directly, the systemd unit file executes the wrapper that then runs the service, redirecting stderr and stdout. The BOINC client service should be running in a confined context but there appears to be a disconnect in the SELinux transition, probably due to the introduction of a “wrapper script”.
0 kommentar(er)
