0
我需要允許使用CentOS目標SELinux策略連接到Unix域套接字。允許nginx使用CentOS目標SELinux策略連接到Unix域套接字
我想出了以下模塊:
module httpd_unix 0.0.0;
require {
attribute file_type;
class unix_stream_socket connectto;
class sock_file write;
type httpd_t;
}
type httpd_unix_t;
typeattribute httpd_unix_t file_type;
allow httpd_t httpd_unix_t: unix_stream_socket connectto;
allow httpd_t httpd_unix_t: sock_file write;
但審計說:
type=AVC msg=audit(1491380970.041:396): avc: denied { connectto } for pid=985 comm="nginx" path="/run/tsubonesystem3/tsubonesystem3.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
的情況下被設置爲文件,當然。
$ sudo ls -Z /var/run/tsubonesystem3/tsubonesystem3.sock
srw-rw----. tsubonesystem tsubonesystem system_u:object_r:httpd_unix_t:s0 /var/run/tsubonesystem3/tsubonesystem3.sock
我該如何解決這個問題?