Hey,
I'm writing some code based on this example for the Axum web-framework: https://github.com/tokio-rs/axum/tree/main/examples/unix-domain-socket
The idea is to have an application running and listening on a unix domain socket (UDS) in /run/axum/foo/socket and then have it exposed via Nginx. The UDS has the following label: unconfined_u:object_r:var_run_t:s0.
I've found that I can only make it work, if I build and install the following SELinux module: ================================ require { type unconfined_t; type var_run_t; type httpd_t; class unix_stream_socket connectto; class sock_file write; } allow httpd_t unconfined_t:unix_stream_socket connectto; allow httpd_t var_run_t:sock_file write; ================================
If not, then I get the following errors when trying to access the web page which Nginx is expected to proxy to the UDS.
type=AVC msg=audit(1647208194.572:390): avc: denied { connectto } for pid=1837 comm="nginx" path="/run/axum/rust-test/socket" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1648981728.829:612): avc: denied { write } for pid=1688 comm="nginx" name="socket" dev="tmpfs" ino=1415 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
Note how I specifically don't want to connect Nginx to the application with a TCP socket. This is for security reasons (with an UDS, I can better control which user accounts can access the socket), and because I don't want to use some random TCP port which might some day conflict with another applications.
Two questions:
1) Could I make use of some SELinux bool(s) to obtain the same effect? (I would prefer not to have to manage home made SELinux modules.)
2) I'm concerned about audit2allow having introduced "unconfined" in the policy; that sounds excessively intrusive. Is there a way to write the policy without involving something unconstrained?
troels@arvin.dk writes:
Hey,
I'm writing some code based on this example for the Axum web-framework: https://github.com/tokio-rs/axum/tree/main/examples/unix-domain-socket
The idea is to have an application running and listening on a unix domain socket (UDS) in /run/axum/foo/socket and then have it exposed via Nginx. The UDS has the following label: unconfined_u:object_r:var_run_t:s0.
I've found that I can only make it work, if I build and install the following SELinux module:
require { type unconfined_t; type var_run_t; type httpd_t; class unix_stream_socket connectto; class sock_file write; } allow httpd_t unconfined_t:unix_stream_socket connectto; allow httpd_t var_run_t:sock_file write; ================================
If not, then I get the following errors when trying to access the web page which Nginx is expected to proxy to the UDS.
type=AVC msg=audit(1647208194.572:390): avc: denied { connectto } for pid=1837 comm="nginx" path="/run/axum/rust-test/socket" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1648981728.829:612): avc: denied { write } for pid=1688 comm="nginx" name="socket" dev="tmpfs" ino=1415 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
Note how I specifically don't want to connect Nginx to the application with a TCP socket. This is for security reasons (with an UDS, I can better control which user accounts can access the socket), and because I don't want to use some random TCP port which might some day conflict with another applications.
Two questions:
Could I make use of some SELinux bool(s) to obtain the same effect? (I would prefer not to have to manage home made SELinux modules.)
I'm concerned about audit2allow having introduced "unconfined" in the policy; that sounds excessively intrusive. Is there a way to write the policy without involving something unconstrained?
It's not like audit2allow introduced unconfined. It simply follows the AVC audit event which says:
nginx command running with system_u:system_r:httpd_t:s0 tries to write into sock_file with unconfined_u:object_r:var_run_t:s0 label
So in your system you already have something unconstrained what created the sock_file.
audit2allow just proposed a new module which requires all types and classes with permissions in the AVC and adds new allow rules.
Petr
Hello,
Petr Lautrbach wrote:
/So in your system you already have something unconstrained what created the sock_file. /
OK.
Does anyone know if an existing boolean covers the need for nginx to be able to open a unix domain socket file?
If not, I'd like to propose adding such a boolean, so I would submit a ticket in a relevant system. Would that system be https://github.com/SELinuxProject/refpolicy, or Red Hat's bugzilla, or yet another system?
selinux@lists.fedoraproject.org
-
Petr Lautrbach -
Troels Arvin -
troels@arvin.dk