CentOS with SELinux, systemd and stunnel

Question

I am using CentOS 7.3 with stunnel. If I launch stunnel like that :

stunnel /etc/stunnel/stunnel.conf

Everything works fine !

I would like to manage stunnel with systemd. Here is my stunnel.service :

[Unit]
Description=SSL tunnel for network daemons
Documentation=man:stunnel https://www.stunnel.org/docs.html
DefaultDependencies=no
After=network.target
After=syslog.target

[Install]
WantedBy=multi-user.target
Alias=stunnel.target

[Service]
Type=forking
EnvironmentFile=-/etc/stunnel/stunnel.conf
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
ExecStop=/usr/bin/killall -9 stunnel
RemainAfterExit=yes

And my stunnel.conf :

cert = /etc/stunnel/ssl/stunnel.crt
chroot = /var/chroot/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid
[https]
accept = 443
connect = 80

The problem is : If the chroot is /var/chroot/stunnel (directory and permissions are OK!) SELinux block the creation of the PID when I do :

systemctl start stunnel

In my /var/log/secure I have got :

Feb 20 15:12:11 kickstart stunnel: LOG3[2505:140354907637824]: Cannot create pid file /stunnel.pid
Feb 20 15:12:11 kickstart stunnel: LOG3[2505:140354907637824]: create: Permission denied (13)

If I change the CHROOT directory with /var/run/stunnel/ it works ! SELinux don't block the creation of stunnel PID. But, if I reboot, the /var/run/stunnel directory is drop!

What is the best way to manage stunnel with systemd withoud disable SELinux ? Maybe change some SELinux configurations ?

Thank you,

Answer 1

You should add RuntimeDirectory=stunnel to the "Service" section of your service file. This will create the directory for you.