troels@xxxxxxxx writes: > Hey, > > I'm writing some code based on this example for the Axum web-framework: https://github.com/tokio-rs/axum/tree/main/examples/unix-domain-socket > > The idea is to have an application running and listening on a unix domain socket (UDS) in /run/axum/foo/socket and then have it exposed via Nginx. The UDS has the following label: unconfined_u:object_r:var_run_t:s0. > > I've found that I can only make it work, if I build and install the following SELinux module: > ================================ > require { > type unconfined_t; > type var_run_t; > type httpd_t; > class unix_stream_socket connectto; > class sock_file write; > } > allow httpd_t unconfined_t:unix_stream_socket connectto; > allow httpd_t var_run_t:sock_file write; > ================================ > > If not, then I get the following errors when trying to access the web page which Nginx is expected to proxy to the UDS. > > type=AVC msg=audit(1647208194.572:390): avc: denied { connectto } for pid=1837 comm="nginx" path="/run/axum/rust-test/socket" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 > type=AVC msg=audit(1648981728.829:612): avc: denied { write } for pid=1688 comm="nginx" name="socket" dev="tmpfs" ino=1415 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 > > Note how I specifically don't want to connect Nginx to the application with a TCP socket. This is for security reasons (with an UDS, I can better control which user accounts can access the socket), and because I don't want to use some random TCP port which might some day conflict with another applications. > > Two questions: > > 1) Could I make use of some SELinux bool(s) to obtain the same effect? (I would prefer not to have to manage home made SELinux modules.) > > 2) I'm concerned about audit2allow having introduced "unconfined" in the policy; that sounds excessively intrusive. Is there a way to write the policy without involving something unconstrained? > It's not like audit2allow introduced unconfined. It simply follows the AVC audit event which says: nginx command running with system_u:system_r:httpd_t:s0 tries to write into sock_file with unconfined_u:object_r:var_run_t:s0 label So in your system you already have something unconstrained what created the sock_file. audit2allow just proposed a new module which requires all types and classes with permissions in the AVC and adds new allow rules. Petr _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
