Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

Sign up to join this community

Anybody can ask a question

Anybody can answer

The best answers are voted up and rise to the top

Ngnix can't write socket file due to SELinux

Ask Question

Asked 20 days ago

Modified 15 days ago

Viewed 164 times

1

When setting up nginx with a socket on my newer environment that runs SELinux I am getting the following error:

AVC avc:  denied  { write } for  pid=23704 comm="nginx" name="xxx.sock" dev="nvme0n1p1" ino=17219797 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file permissive=0

I googled and searched and found multiple things that should solve this, mainly the following should solve this if I understand correctly:

semanage fcontext -a -t httpd_sys_rw_content_t /opt/run/xxx.sock
restorecon -v /opt/run/xxx.sock

But this still doesn't work and I get the same error. I can't find any further solutions and tried with audit2allow which shows the following:

allow httpd_t httpd_sys_content_t:sock_file write;

But when trying to create a module the whole system kind of freezes (and as I need to do this every deploy this is not an option as it is just a too big of a rocket to shoot at this problem :D )

EDIT: When turning of selinux (setenforce 0) it works, so this is an SELinux issue

Using nginx version: 1.24.0 on Amazon Linux 2023 running it from a systemd service using a socket file (which has the issue).

Debugging further is see that I get two different errors depending on what I set. If I set semanage fcontext -m -t httpd_sys_rw_content_t /opt/run/xxx.sock I get a { connectto } error in audit.log (same if I do it with the regex (/.*)? after /run

type=AVC msg=audit(1700228218.821:1725): avc:  denied  { connectto } for  pid=15047 comm="nginx" path="/opt/run/xxx.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0

Also tried it with httpd_var_run_t, gives the same result

edited Nov 17 at 13:50

asked Nov 16 at 16:30

Wealot

1115 bronze badges

Is this using the repo version of nginx? What distro?
– symcbean
Nov 17 at 9:05
I'll edit my question to reflect answers to your question
– Wealot
Nov 17 at 10:00

Add a comment |

4 Answers 4

Sorted by:

2

For creating /opt/run/xxx.sock file run the following command in a row.

semanage fcontext -a -t var_run_t -s system_u '/opt/(/.*)?'

restorecon -vF /opt

cd /var

ln -s ../opt opt

semanage fcontext -a -t var_run_t -s system_u opt

Then restart nginx service, This should resolve your issue.

edited Nov 21 at 9:05

answered Nov 21 at 8:59

Shivam Ahuja

1736 bronze badges

Add a comment |

1

Try running the following command.

chcon -t httpd_var_run_t xxx.sock

If doesn't work, share the output of ls -Z xxx.sock with us.

answered Nov 17 at 11:47

Shivam Ahuja

1736 bronze badges

chcon has no output, ls-Z of xxx.sock: system_u:object_r:httpd_var_run_t:s0
– Wealot
Nov 17 at 11:59
Wait ls -Z is of course now different than before is used to be httpd_sys_rw_content_t before I did chcon (chcon is I guess a quick way to do semanage -a?) Also it still doesn't work with the error message: type=AVC msg=audit(1700222480.089:6206): avc: denied { connectto } for pid=98135 comm="nginx" path="/var/sockets/xxx.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0 (I changed the location of the sock file)
– Wealot
Nov 17 at 12:01
Audit2allow now shows the following: #============= httpd_t ============== allow httpd_t initrc_t:unix_stream_socket connectto;
– Wealot
Nov 17 at 12:03
checkout this will resolve your problem. unix.stackexchange.com/questions/349852/….
– Shivam Ahuja
Nov 17 at 12:59
No so when I do that I am getting the { connectto } errors (I edited my question to show that more clearly)
– Wealot
Nov 17 at 13:37

| Show 4 more comments

0

Check File Permissions:

Confirm that the file permissions on the socket file allow the Nginx process to write to it.

chmod +w xxx.sock

answered Nov 17 at 9:20

Shivam Ahuja

1736 bronze badges

Thanks for the response, but this doesn't have anything to do with file permissions but with SELinux. I'll edit my question to make that more clear
– Wealot
Nov 17 at 9:59

Add a comment |

0

Thanks to all the answers and the help! Eventually I did not get it to work with the current sockets setup, but I got it to work thanks to another post:

https://stackoverflow.com/questions/44857223/how-do-i-run-flasknginxuwsgi-with-selinux-in-enforcing-mode

The answer in this post shows setting up not with sockets but with HTTP and that works nicely. Just had to set:

setsebool httpd_can_network_connect 1 -P

answered Nov 21 at 14:00

Wealot

1115 bronze badges

Add a comment |

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
nginx
selinux
.