When setting up nginx with a socket on my newer environment that runs SELinux I am getting the following error:
AVC avc: denied { write } for pid=23704 comm="nginx" name="xxx.sock" dev="nvme0n1p1" ino=17219797 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file permissive=0
I googled and searched and found multiple things that should solve this, mainly the following should solve this if I understand correctly:
semanage fcontext -a -t httpd_sys_rw_content_t /opt/run/xxx.sock
restorecon -v /opt/run/xxx.sock
But this still doesn't work and I get the same error. I can't find any further solutions and tried with audit2allow which shows the following:
allow httpd_t httpd_sys_content_t:sock_file write;
But when trying to create a module the whole system kind of freezes (and as I need to do this every deploy this is not an option as it is just a too big of a rocket to shoot at this problem :D )
EDIT: When turning of selinux (setenforce 0) it works, so this is an SELinux issue
Using nginx version: 1.24.0 on Amazon Linux 2023 running it from a systemd service using a socket file (which has the issue).
Debugging further is see that I get two different errors depending on what I set.
If I set
semanage fcontext -m -t httpd_sys_rw_content_t /opt/run/xxx.sock
I get a { connectto } error in audit.log (same if I do it with the regex (/.*)? after /run
type=AVC msg=audit(1700228218.821:1725): avc: denied { connectto } for pid=15047 comm="nginx" path="/opt/run/xxx.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0
Also tried it with httpd_var_run_t, gives the same result