Nginx – SELinux: no audit errors but nginx permission errors

centosmuninnginxselinuxsocket

I try to isolate a SELinux problem with nging/munin. I see that error message in "/var/log/nging/error.log":

[crit] 8802#0: *55 connect() to unix:/var/run/munin/fcgi-html.sock
failed (13: Permission denied) while connecting to upstream, client:
1.2.3.5, server: , request: "GET /munin/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/munin/fcgi-html.sock:", host: "1.2.3.4"

Then i tried audit2allow to fix selinux permissions:

# cat /var/log/audit/audit.log | audit2allow -M nginx-munin-socket
# semodule -i nginx-munin-socket

The audit.log messages are gone but the nginx socket errors are always there. when i use "setenforce 0" then i have no nginx socket error messages. so i believe that my problem is definitely selinux. But i dont know how to isolate the problem now!?

nginx-munin-socket.te

module nginx-munin-socket 1.0;

require {
        type httpd_t;
        type init_t;
        type munin_var_run_t;
        class sock_file write;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t init_t:unix_stream_socket connectto;
allow httpd_t munin_var_run_t:sock_file write;

Best Answer

I found the solution -> i learned that i need to disable "dontaudit" to see all audit.log entries...

semodule --disable_dontaudit --build

So with that i was able to create a SELinux module that worked!

Related Topic