If your nginx is running as httpd_t putting the socket you're connecting to in /var/run/httpd or /var/run/nginx are two good places to start:

grep httpd_var_run_t /etc/selinux/targeted/contexts/files/file_contexts

/var/run/wsgi.* -s system_u:object_r:httpd_var_run_t:s0

/var/run/mod_.* system_u:object_r:httpd_var_run_t:s0

/var/run/httpd.* system_u:object_r:httpd_var_run_t:s0

/var/run/nginx.* system_u:object_r:httpd_var_run_t:s0

/var/run/apache.* system_u:object_r:httpd_var_run_t:s0

/var/run/php-fpm(/.*)? system_u:object_r:httpd_var_run_t:s0

/var/run/lighttpd(/.*)? system_u:object_r:httpd_var_run_t:s0

/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t:s0

/var/lib/php/wsdlcache(/.*)? system_u:object_r:httpd_var_run_t:s0

/var/run/dirsrv/admin-serv.* system_u:object_r:httpd_var_run_t:s0

/var/opt/rh/rh-nginx18/run/nginx(/.*)? system_u:object_r:httpd_var_run_t:s0

/var/www/openshift/broker/httpd/run(/.*)? system_u:object_r:httpd_var_run_t:s0

/var/www/openshift/console/httpd/run(/.*)? system_u:object_r:httpd_var_run_t:s0

/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? system_u:object_r:httpd_var_run_t:s0

/var/run/thttpd\.pid -- system_u:object_r:httpd_var_run_t:s0

/var/run/gcache_port -s system_u:object_r:httpd_var_run_t:s0

/var/run/cherokee\.pid -- system_u:object_r:httpd_var_run_t:s0

sesearch -A -C -s httpd_t -c sock_file -p write | grep httpd_var_run_t

allow httpd_t httpd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ;

On Tue, Sep 13, 2016 at 1:35 PM Yuri Kanivetsky <yuri.kanivetsky@gmail.com> wrote:

Hi,

I'm trying to make nginx talk to an app over socket. Actually, I seem
to have succeeded, but I'm concerned if the policy I installed is a
good one.

Here's what I see in audit.log when nginx tries to connect to my app:

type=AVC msg=audit(1473789962.311:2330): avc: denied { write } for
pid=16814 comm="nginx" name="a1.sock" dev="dm-0" ino=525810
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1473789962.311:2330): arch=c000003e syscall=42
success=no exit=-13 a0=d a1=188a730 a2=6e a3=7ffde6992400 items=0
ppid=16813 pid=16814 auid=4294967295 uid=995 gid=993 euid=995 suid=995
fsuid=995 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0
key=(null)

And here's what audit2allow has generated:

module nginx 1.0;

require {
type httpd_t;
type httpd_sys_content_t;
class sock_file write;
}

#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:sock_file write;

The question is, "Is httpd_sys_content_t an appropriate type for the
task?" Is there the one, that suits better? Or should I create a
separate one?

Regards,
Yuri
--
selinux mailing list
selinux@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org