Selinux 'var_t' base type warning

ExcellentAverage asked:

I am currently ‘lost’ in the CentOS Selinux forest.

My setup involves setting up a WSGI socket in /var/www/demo/out which nginx uses to communicate with the UWSGI process. Whenever I request the page in my browser I get an nginx error.

Why is this Selinux related?

  • Disabling Selinux with setenforce 0 fixes it.
  • /var/log/audit/audit.log and audit2why display a denied and missing type enforcement (TE) allow rule

I have tried adding the httpd_sys_content_t label to the socket so nginx was allowed to read and write to the socket file, restorecon after adding the new label.

Running the violation through audit2allow returns the following policy:

module nginx 1.0;

require {
        type httpd_t;
        type var_t;
        type httpd_sys_content_t;
        class sock_file write;

#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:sock_file write;

#!!!! WARNING: 'var_t' is a base type.
allow httpd_t var_t:sock_file write;

The first rule I understand, however what is the second rule conveying? I am guessing because the nginx process is requesting a tcontext that has var_t in it a new selinux policy is required that includes this new context?

So why is this warning here? Is it complaining that adding a directory like var to a policy is too general / isn’t specific enough? If this is the case, can’t this policy be narrowed to something like var_www_t? Also if this is the case then why is the uwsgi process, which is running under a non root user, allowed to write to the socket?

My answer:

Consider placing your socket in a location where SELinux already expects it to be.

# semanage fcontext -l | grep httpd_var_run_t | grep wsgi
/var/run/wsgi.*                                    socket             system_u:object_r:httpd_var_run_t:s0 

Thus if you create /run/wsgi.anything and use that as the socket then it will work perfectly. Keep in mind that since this is a temporary directory cleared on every boot, you should create the socket yourself at startup, usually with a tmpfiles.d configuration. For example:

p+ /run/wsgi.anything 0660 user group - -

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.