Re: Any booleans which can make nginx connect to an UDS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



troels@xxxxxxxx writes:

> Hey,
>
> I'm writing some code based on this example for the Axum web-framework: https://github.com/tokio-rs/axum/tree/main/examples/unix-domain-socket
>
> The idea is to have an application running and listening on a unix domain socket (UDS) in /run/axum/foo/socket and then have it exposed via Nginx. The UDS has the following label: unconfined_u:object_r:var_run_t:s0.
>
> I've found that I can only make it work, if I build and install the following SELinux module:
> ================================
> require {
> 	type unconfined_t;
> 	type var_run_t;
> 	type httpd_t;
> 	class unix_stream_socket connectto;
> 	class sock_file write;
> }
> allow httpd_t unconfined_t:unix_stream_socket connectto;
> allow httpd_t var_run_t:sock_file write;
> ================================
>
> If not, then I get the following errors when trying to access the web page which Nginx is expected to proxy to the UDS.
>
> type=AVC msg=audit(1647208194.572:390): avc:  denied  { connectto } for  pid=1837 comm="nginx" path="/run/axum/rust-test/socket" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
> type=AVC msg=audit(1648981728.829:612): avc:  denied  { write } for  pid=1688 comm="nginx" name="socket" dev="tmpfs" ino=1415 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
>
> Note how I specifically don't want to connect Nginx to the application with a TCP socket. This is for security reasons (with an UDS, I can better control which user accounts can access the socket), and because I don't want to use some random TCP port which might some day conflict with another applications.
>
> Two questions:
>
> 1) Could I make use of some SELinux bool(s) to obtain the same effect? (I would prefer not to have to manage home made SELinux modules.)
>
> 2) I'm concerned about audit2allow having introduced "unconfined" in the policy; that sounds excessively intrusive. Is there a way to write the policy without involving something unconstrained?
>

It's not like audit2allow introduced unconfined. It simply follows the
AVC audit event which says:

nginx command running with system_u:system_r:httpd_t:s0 tries to write
into sock_file with unconfined_u:object_r:var_run_t:s0 label

So in your system you already have something unconstrained what created the sock_file.

audit2allow just proposed a new module which requires all types and classes with
permissions in the AVC and adds new allow rules.

Petr
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux