Apache代理+UNIX插座+SELINUX：怎么做的？

Question

I'm trying to get gunicorn running behind an Apache proxy via a UNIX socket in the file system. Long story short, it works with SELinux in non-enforcing mode but not when enforcing. I'm trying to fix that. Here's my socket file as created by gunicorn:

srwxrwxrwx. dh dh system_u:object_r:httpd_sys_content_t:s0 /var/www/wsgi/dham_wsgi.sock

Here's what audit2why has to say about this after a failed access via Apache:

type=AVC msg=audit(1641287516.397:870181): avc:  denied  { connectto } for  pid=23897 comm="httpd" path="/var/www/wsgi/dham_wsgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    
        Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

Let's follow that hint, read some man pages and the Internet, and get to work:

$ sudo cat /var/log/audit/audit.log | audit2allow -m httpd_socket -l > httpd_socket.te
$ cat httpd_socket.te

module httpd_socket 1.0;

require {
        type httpd_t;
        type httpd_sys_content_t;
        class sock_file write;
}

#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:sock_file write;
$ checkmodule -M -m -o httpd_socket.mod httpd_socket.te
checkmodule:  loading policy configuration from httpd_socket.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 19) to httpd_socket.mod
$ semodule_package -o httpd_socket.pp -m httpd_socket.mod
$ sudo semodule -i httpd_socket.pp

But it doesn't work, everything is as before. Restarting Apache makes no difference. What now?

Answer 1

My initital audit2allow seems not to have caught all problems because I used the '-l' flag (last policy reload). Using a more aggressive approach like below got me a few more entries in the generated module. After installing that, it worked.

sudo grep dham_wsgi /var/log/audit/audit.log | audit2allow -M httpd_socket