5

I have a Gunicorn socket file: /opt/rtd/gunicorn/run.sock. I need nginx to be able to open this socket and write to it.

When I run sesearch --allow -s httpd_t | grep unix_stream_socket I noticed that httpd_t is allowed to connect to sockets of type httpd_t. But when I try to apply that I get:

# semanage fcontext -a -t httpd_t "/opt/rtd/gunicorn/run.sock"
ValueError: Type httpd_t is invalid, must be a file or device type

I've tried other types I found from sesearch, for example httpd_sys_script_t or even passenger_t. Same result.

What should I set the type to?

I would prefer not to have to create additional policies to allow more than necessary. There must be a way to allow httpd_t to read from a file socket with existing policies in CentOS 7.2, right?

Christoffer Reijer
  • 417
  • 1
  • 4
  • 16
  • What is the output of `file /opt/rtd/gunicorn/run.sock`? – user9517 Aug 09 '16 at 11:39
  • Have exactly this problem trying to allow nginx access to proxy to a server listening on a unix socket. `file` reports the type as `socket`. I wonder if fcontext doesn't apply to UNIX sockets? – TrentP Jun 06 '21 at 23:53

0 Answers0