SELinux - Allow web server to access UNIX sockets

What’s the best way to allow web server to read/write a UNIX socket?

I moved the Cockpit listen address to a UNIX socket at /run/cockpit/listen.sock, and made Caddy reverse proxy to it.

Configs
[Socket]
ListenStream=
ListenStream=/run/cockpit/listen.sock
reverse_proxy /interface/* unix//run/cockpit/listen.sock

However, SELinux is denying with the message

type=AVC msg=audit(1701113759.520:410): avc:  denied  { write } for  pid=981 comm="caddy" name="listen.sock" dev="tmpfs" ino=1238 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1701113759.520:411): avc:  denied  { connectto } for  pid=981 comm="caddy" path="/run/cockpit/listen.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1

It seems that the socket created by programs will have the type <name>_var_run_t. Is there a way to allow access to them in general?
EDIT: Turns out there are 2 types of denial. The 2nd one’s type is even more general…

audit2allow gives allow httpd_t cockpit_var_run_t:sock_file write; which is not general.
This[1] suggests relabeling the context, but isn’t /run/ temporary… and I’m not sure relabeling is the right way.


  1. ↩︎

1 Like

It is best to file an issue against the package cockpit-ws providing the relevant SELinux module.
Refrain from relabeling to not break other policies, instead use audit2allow to create a custom permissive policy until the issue is fixed.