Running a Spring Boot JAR service with SELinux enabled

Just a quick reminder how to run a Spring Boot JAR (or any other self JAR executable) with SELinux enabled:

chcon --type=java_exec_t /opt/myapp/spring-boot-app.jar

To make this persistent you have to use the bin_exec_t type as java_exec_t is just an alias:

# apply the bin_exec_t
semanage fcontext -a -t bin_exec_t /opt/myapp/spring-boot-app.jar
# restore SELinux contexts
restorecon -R /opt/myapp

ll -Z /opt/myapp
# should look like
# -rwxr-xr-x. 1 myapp myapp unconfined_u:object_r:bin_t:s0 26500195 Aug 28 08:34 myapp.jar

To let systemd start this service, you have to create a systemd unit file at /etc/systemd/system/myapp.service:

[Unit]
Description=My Spring Boot application
After=syslog.target network.target

[Service]
ExecStart=/opt/myapp/spring-boot-app.jar
EnvironmentFile=-/etc/sysconfig/myapp
SuccessExitStatus=143
User=pwss

[Install]
WantedBy=multi-user.target

And don’t forget to add the service user, reload the systemd services and enable the myapp.service.