Sharing some pitfalls on installing

[Klaaktu]

Just want to share some pitfalls on installing dnscrypt-proxy for novice users like me, to avoid some frustration, I did not expect to go down the rabbit hole of SELinux while installing today XD.

1. On OS with SELinux, do not move files to /opt (from within home), copy them. Else they keep the user_home_t security context, when systemd service tries to run the file, it will be AVC denied (only seen in audit log, systemd merely complains "Failed to locate... Permission denied").

Running as non-root:

1. When running as non-root user, the user needs to have write access on the dnscrypt-proxy folder, in order to update the list files (even if they exist and are writable by the user).
2. The user also needs execution privilege on the dnscrypt-proxy binary, else it cannot run after the process drops from root privilege.
3. -service install will set the working directory in the systemd file as the shell's current directory, so run it from within the folder. If invoked from home by using absolute path to dnscrypt-proxy, it will set the working directory to current user's home, which is not accessible by another user.
4. If using legit certificate (for DoH), might want to set the permission on the private key file so others can't read it.
5. To still own the files (so I can update them easily) while giving access, I think the simplest way is creating a new user with corresponding login group, and change the folder and the key's owner group as the user's group. It works even though owner (me) is not in the group. Using nobody might not be recommended.

sudo adduser --system --no-create-home dnscrypt-proxy
sudo chown :dnscrypt-proxy '/opt/dnscrypt-proxy/'
sudo chown :dnscrypt-proxy '/opt/dnscrypt-proxy/domain.key'
chmod 775 '/opt/dnscrypt-proxy/'
chmod 640 '/opt/dnscrypt-proxy/domain.key'