Hi,
I'm trying to make nginx talk to an app over socket. Actually, I seem
to have succeeded, but I'm concerned if the policy I installed is a
good one.
Here's what I see in audit.log when nginx tries to connect to my app:
type=AVC msg=audit(1473789962.311:2330): avc: denied { write } for
pid=16814 comm="nginx" name="a1.sock" dev="dm-0" ino=525810
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1473789962.311:2330): arch=c000003e syscall=42
success=no exit=-13 a0=d a1=188a730 a2=6e a3=7ffde6992400 items=0
ppid=16813 pid=16814 auid=4294967295 uid=995 gid=993 euid=995 suid=995
fsuid=995 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0
key=(null)
And here's what audit2allow has generated:
module nginx 1.0;
require {
type httpd_t;
type httpd_sys_content_t;
class sock_file write;
}
#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:sock_file write;
The question is, "Is httpd_sys_content_t an appropriate type for the
task?" Is there the one, that suits better? Or should I create a
separate one?
Regards,
Yuri