I was configuring my architecture with CoreOS, SystemD services, and Quadlet, but SELinux stopped me. I want to generate keys directly on the Host via ssh-keygen from a SystemD service, but SELinux doesn’t allow it.
I found a workaround by generating the command in a temporary container, but I’d like to know if anyone has an idea why there are restrictions on the ssh-keygen command when all I’m trying to do is generate a key pair ?
I know I could modify SELinux to get it to work directly via SystemD, but without understanding the reason for the restriction, I preferred not to touch it.
For anyone else who might encounter the same kind of problem.
I was calling upon my scripts via ExecStart=bash /etc/systemd/system/hello.sh; this was providing system_u:system_r:init_t:s0 as the security context, and this was what posed the problem.
I replaced it with ExecStart=/etc/systemd/system/hello.sh, and now everything works.
Thank @siosm you put me on the track to the solution !
Is there/would there be a way to lint systemd units looking for selinux policy violations without running the executables in the unit?
If so it would be an interesting linter tool for people customizing units, something to optionally run before deamon-reload that could warn and make suggestions.
-jef"finally got a microwave in the new apartment, I’m writing this jacked up on 2 day old microwaved coffee"spaleta
It would be difficult. If you are writing a systemd unit, especially a system one, your are an administrator and you should know that you need to read the man pages and check the logs for errors. By default, new systemd units run mostly unconfined, so you should not have to care about SELinux, if you place things in the expected places.
