Selinux 'var_t' base type warning

ExcellentAverage asked:

I am currently ‘lost’ in the CentOS Selinux forest.

My setup involves setting up a WSGI socket in /var/www/demo/out which nginx uses to communicate with the UWSGI process. Whenever I request the page in my browser I get an nginx error.

Why is this Selinux related?

• Disabling Selinux with setenforce 0 fixes it.
• /var/log/audit/audit.log and audit2why display a denied and missing type enforcement (TE) allow rule

I have tried adding the httpd_sys_content_t label to the socket so nginx was allowed to read and write to the socket file, restorecon after adding the new label.

Running the violation through audit2allow returns the following policy:

module nginx 1.0;

require {
        type httpd_t;
        type var_t;
        type httpd_sys_content_t;
        class sock_file write;
}

#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:sock_file write;

#!!!! WARNING: 'var_t' is a base type.
allow httpd_t var_t:sock_file write;

The first rule I understand, however what is the second rule conveying? I am guessing because the nginx process is requesting a tcontext that has var_t in it a new selinux policy is required that includes this new context?

So why is this warning here? Is it complaining that adding a directory like var to a policy is too general / isn’t specific enough? If this is the case, can’t this policy be narrowed to something like var_www_t? Also if this is the case then why is the uwsgi process, which is running under a non root user, allowed to write to the socket?