stackoom
  简体   繁体   中英

Apache proxy + UNIX socket + SELINUX: How is it done?

 原文  2022-01-04 09:44:42       apache/ gunicorn/ selinux

Question

I'm trying to get gunicorn running behind an Apache proxy via a UNIX socket in the file system. Long story short, it works with SELinux in non-enforcing mode but not when enforcing. I'm trying to fix that. Here's my socket file as created by gunicorn:

srwxrwxrwx. dh dh system_u:object_r:httpd_sys_content_t:s0 /var/www/wsgi/dham_wsgi.sock

Here's what audit2why has to say about this after a failed access via Apache:

type=AVC msg=audit(1641287516.397:870181): avc:  denied  { connectto } for  pid=23897 comm="httpd" path="/var/www/wsgi/dham_wsgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    
        Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

Let's follow that hint, read some man pages and the Internet, and get to work:

$ sudo cat /var/log/audit/audit.log | audit2allow -m httpd_socket -l > httpd_socket.te
$ cat httpd_socket.te

module httpd_socket 1.0;

require {
        type httpd_t;
        type httpd_sys_content_t;
        class sock_file write;
}

#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:sock_file write;
$ checkmodule -M -m -o httpd_socket.mod httpd_socket.te
checkmodule:  loading policy configuration from httpd_socket.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 19) to httpd_socket.mod
$ semodule_package -o httpd_socket.pp -m httpd_socket.mod
$ sudo semodule -i httpd_socket.pp

But it doesn't work, everything is as before. Restarting Apache makes no difference. What now?

1 answers

solution1
 0  2022-01-05 08:03:21

My initital audit2allow seems not to have caught all problems because I used the '-l' flag (last policy reload). Using a more aggressive approach like below got me a few more entries in the generated module. After installing that, it worked.

sudo grep dham_wsgi /var/log/audit/audit.log | audit2allow -M httpd_socket

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Apache Reverse Proxy Unix Socket Apache proxy pass to unix domain socket Apache: proxy to unix socket named in URL Apache-to-PSGI proxy over a Unix domain socket Proxy Apache Load Balancers to a Unix Socket instead of a port How to proxy HTTP and Websockets from Apache to Gunicorn over unix sockets? Socket.io with apache proxy How to configure Apache to proxy socket.io server Web Socket in APACHE Reverse Proxy How to set up SELinux to allow Apache to bind on port 888
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM