ExcellentAverage asked:
I am currently ‘lost’ in the CentOS Selinux forest.
My setup involves setting up a WSGI socket in /var/www/demo/out
which nginx uses to communicate with the UWSGI process. Whenever I request the page in my browser I get an nginx error.
Why is this Selinux related?
- Disabling Selinux with
setenforce 0
fixes it. - /var/log/audit/audit.log and audit2why display a
denied
andmissing type enforcement (TE) allow rule
I have tried adding the httpd_sys_content_t
label to the socket so nginx was allowed to read and write to the socket file, restorecon after adding the new label.
Running the violation through audit2allow
returns the following policy:
module nginx 1.0;
require {
type httpd_t;
type var_t;
type httpd_sys_content_t;
class sock_file write;
}
#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:sock_file write;
#!!!! WARNING: 'var_t' is a base type.
allow httpd_t var_t:sock_file write;
The first rule I understand, however what is the second rule conveying? I am guessing because the nginx process is requesting a tcontext that has var_t
in it a new selinux policy is required that includes this new context?
So why is this warning here? Is it complaining that adding a directory like var to a policy is too general / isn’t specific enough? If this is the case, can’t this policy be narrowed to something like var_www_t
? Also if this is the case then why is the uwsgi process, which is running under a non root user, allowed to write to the socket?
My answer:
Consider placing your socket in a location where SELinux already expects it to be.
# semanage fcontext -l | grep httpd_var_run_t | grep wsgi
/var/run/wsgi.* socket system_u:object_r:httpd_var_run_t:s0
Thus if you create /run/wsgi.anything
and use that as the socket then it will work perfectly. Keep in mind that since this is a temporary directory cleared on every boot, you should create the socket yourself at startup, usually with a tmpfiles.d
configuration. For example:
p+ /run/wsgi.anything 0660 user group - -
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.