SELinux blocking nginx

I’m exploring SELINUX with ood 2.0.18, and getting the following grumps related to nginx

ausearch --raw -c nginx
type=AVC msg=audit(1634825504.835:217): avc:  denied  { create } for  pid=2162 comm="nginx" name="passenger.sock" scontext=system_u:system_r:ood_pun_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
type=SYSCALL msg=audit(1634825504.835:217): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=1206398 a2=6e a3=7ffccc079030 items=0 ppid=2142 pid=2162 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nginx" exe="/opt/ood/ondemand/root/usr/sbin/nginx" subj=system_u:system_r:ood_pun_t:s0 key=(null)
type=PROCTITLE msg=audit(1634825504.835:217): proctitle=2872696329002D63002F7661722F6C69622F6F6E64656D616E642D6E67696E782F636F6E6669672F70756E732F7269632E636F6E66
type=AVC msg=audit(1634825504.835:218): avc:  denied  { setattr } for  pid=2162 comm="nginx" name="passenger.sock" dev="tmpfs" ino=23549 scontext=system_u:system_r:ood_pun_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
type=SYSCALL msg=audit(1634825504.835:218): arch=c000003e syscall=90 success=yes exit=0 a0=120640b a1=1b6 a2=6e a3=7ffccc079030 items=0 ppid=2142 pid=2162 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nginx" exe="/opt/ood/ondemand/root/usr/sbin/nginx" subj=system_u:system_r:ood_pun_t:s0 key=(null)
type=PROCTITLE msg=audit(1634825504.835:218): proctitle=2872696329002D63002F7661722F6C69622F6F6E64656D616E642D6E67696E782F636F6E6669672F70756E732F7269632E636F6E66
type=AVC msg=audit(1634825504.905:219): avc:  denied  { create } for  pid=2181 comm="nginx" name="passenger.pid" scontext=system_u:system_r:ood_pun_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1634825504.905:219): avc:  denied  { read write open } for  pid=2181 comm="nginx" path="/run/ondemand-nginx/ric/passenger.pid" dev="tmpfs" ino=23635 scontext=system_u:system_r:ood_pun_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1634825504.905:219): arch=c000003e syscall=2 success=yes exit=9 a0=11c3185 a1=242 a2=1a4 a3=7ffccc079280 items=0 ppid=1 pid=2181 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nginx" exe="/opt/ood/ondemand/root/usr/sbin/nginx" subj=system_u:system_r:ood_pun_t:s0 key=(null)
type=PROCTITLE msg=audit(1634825504.905:219): proctitle=2872696329002D63002F7661722F6C69622F6F6E64656D616E642D6E67696E782F636F6E6669672F70756E732F7269632E636F6E66

I confirmed /opt/ood/… is correct according to restorecon. I suspect something with /run being tmpfs and this being recreated at boot w/o the input of selinux policy for /var/run/ondemand-nginx is the root of this problem, but that’s just a guess.

Any suggestions?

Thanks,
Ric

@tdockendorf please advise.

The /run/ondemand-nginx patch I submitted (subject Suggested fix for selinux problems with /run/ondemand-nginx) seems to have resolved all of the nginx SEL problems I was having. I should have tagged that onto this topic.

Ric

image001.png

image002.png

That patch you submitted got merged for a future OnDemand 2.0 release: Add tmpfiles.d file for ondemand-nginx (Release 2.0) by treydock · Pull Request #1501 · OSC/ondemand · GitHub.