[selinux] Re: Idiomatic solution for tiny systemd "services"?

[Miroslav Grepl]

On 02/15/2015 06:51 PM, Robin Lee Powell wrote:
> On Sun, Feb 15, 2015 at 08:44:07AM -0500, Daniel J Walsh wrote:
>> On 02/11/2015 08:51 PM, Robin Lee Powell wrote:
>>> Hey all.  I have a tiny web service that I'm running with a ruby
>>> script in ~/.rvm/ , and I'd like to run it out of systemd (just
>>> to keep it running always), but init_t can't read or execute
>>> user_home_t.
>>>
>>> Nor can init_t run runcon.
>>>
>>> Basically, I can't figure out any way to transition from
>>> systemd's init_t to my user's type (staff_t).
>>>
>>> So what's the idiomatic way to handle that sort of thing?
>>>
>> init_t should be transitioning to a context that can read content
>> in the users homedir.  What is the label on the ruby script?
> user_home_t; I had no idea what to try.
>
>> Which policy are you using?
> Whatever comes with F20.
>
>> Do you have unconfined.pp disabled?
> Yes.
>
>> Also do you have the actual avcs you are seeing?
> Uh, not anymore I'm afraid; I had to find a workaround and move on.
> I can regenerate them if it's important?
>
How does your unit file look for this service?