Commit f18fb62f authored by Michał Kępień's avatar Michał Kępień

Do not use "scl enable" when starting named

Using "scl enable" in a systemd unit file prevents the service being
started from transitioning into a confined SELinux domain.  Since named
is built with -rpath and thus it is able to find the shared libraries it
is linked against even without LD_LIBRARY_PATH being set to the SCL's
library directory, invoke the named binary directly in the unit file to
ensure it transitions to the desired SELinux domain upon startup.  Apply
the same change to the CentOS 6 init script for consistency.
parent 0d1dcef1
......@@ -9,10 +9,10 @@
##### Macro and variable definitions
%define replace_tokens \
sed \\\
-e "s|@LOCALSTATEDIR@|%{_localstatedir}|g;" \\\
-e "s|@SCL_ENABLE@|%{?scl:/usr/bin/scl enable %{scl} -- %{_scl_root}}|g;" \\\
%define replace_tokens \
sed \\\
-e "s|@LOCALSTATEDIR@|%{_localstatedir}|g;" \\\
-e "s|@SCL_ROOT@|%{?_scl_root}|g;" \\\
-e "s|@SYSCONFDIR@|%{_sysconfdir}|g;"
# On some systems, %%scl_prefix is a macro rather than a %%global variable;
......@@ -378,6 +378,9 @@ fi
%postun
%if %{with systemd}
%if 0%{?rhel} >= 8 || 0%{?fedora} >= 24
systemctl daemon-reload >/dev/null 2>&1 || :
%endif
%systemd_postun_with_restart %{service_name}.service
%else
if [ "$1" -eq 1 ]; then
......
......@@ -19,7 +19,7 @@ start() {
echo "already running"
return 0
fi
@SCL_ENABLE@/usr/sbin/named -u named ${OPTIONS} && success || failure
@SCL_ROOT@/usr/sbin/named -u named ${OPTIONS} && success || failure
RETVAL=$?
echo
return ${RETVAL}
......
......@@ -5,7 +5,7 @@ After=network.target
Type=forking
EnvironmentFile=-@SYSCONFDIR@/sysconfig/named
PIDFile=@LOCALSTATEDIR@/run/named/named.pid
ExecStart=@SCL_ENABLE@/usr/sbin/named -u named $OPTIONS
ExecStart=@SCL_ROOT@/usr/sbin/named -u named $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -TERM $MAINPID
PrivateTmp=true
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment