Hey, I'm writing some code based on this example for the Axum web-framework: https://github.com/tokio-rs/axum/tree/main/examples/unix-domain-socket The idea is to have an application running and listening on a unix domain socket (UDS) in /run/axum/foo/socket and then have it exposed via Nginx. The UDS has the following label: unconfined_u:object_r:var_run_t:s0. I've found that I can only make it work, if I build and install the following SELinux module: ================================ require { type unconfined_t; type var_run_t; type httpd_t; class unix_stream_socket connectto; class sock_file write; } allow httpd_t unconfined_t:unix_stream_socket connectto; allow httpd_t var_run_t:sock_file write; ================================ If not, then I get the following errors when trying to access the web page which Nginx is expected to proxy to the UDS. type=AVC msg=audit(1647208194.572:390): avc: denied { connectto } for pid=1837 comm="nginx" path="/run/axum/rust-test/socket" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(1648981728.829:612): avc: denied { write } for pid=1688 comm="nginx" name="socket" dev="tmpfs" ino=1415 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 Note how I specifically don't want to connect Nginx to the application with a TCP socket. This is for security reasons (with an UDS, I can better control which user accounts can access the socket), and because I don't want to use some random TCP port which might some day conflict with another applications. Two questions: 1) Could I make use of some SELinux bool(s) to obtain the same effect? (I would prefer not to have to manage home made SELinux modules.) 2) I'm concerned about audit2allow having introduced "unconfined" in the policy; that sounds excessively intrusive. Is there a way to write the policy without involving something unconstrained? -- Regards, Troels _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
