Description of problem: The other day, I was in #Fedora-SELinux solving this. A very nice guy there came out with the following solution: # cat mythin.te; echo; echo; cat mythin.fc policy_module(mythin, 1.0.0) gen_require(` type thin_t, thin_var_run_t; ') manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) apache_read_sys_content(thin_t) gen_require(` type httpd_t; ') stream_connect_pattern(httpd_t, thin_var_run_t, thin_var_run_t, thin_t) /var/run/thin(/.*)? gen_context(system_u:object_r:thin_var_run_t, s0) I can confirm that this works; but I dunno if it's the best approach. Usually, you will have your sinatra apps self contained; with certain configs there and all. SELinux is preventing /usr/sbin/nginx from 'write' accesses on the sock_file btcsrv.sock. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that nginx should be allowed write access on the btcsrv.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep nginx /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:var_run_t:s0 Target Objects btcsrv.sock [ sock_file ] Source nginx Source Path /usr/sbin/nginx Port <Unknown> Host (removed) Source RPM Packages nginx-1.2.9-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-96.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.3-201.fc18.x86_64 #1 SMP Tue May 21 17:02:24 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-05-28 04:32:04 CDT Last Seen 2013-05-28 04:32:04 CDT Local ID 48a17b07-ebfb-43ca-a011-86b1fdc74ee1 Raw Audit Messages type=AVC msg=audit(1369733524.220:499): avc: denied { write } for pid=21214 comm="nginx" name="btcsrv.sock" dev="tmpfs" ino=138342 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1369733524.220:499): arch=x86_64 syscall=connect success=no exit=EACCES a0=b a1=7f04ff67c7e0 a2=6e a3=7fff1e5ec5f2 items=0 ppid=21213 pid=21214 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 ses=4294967295 tty=(none) comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null) Hash: nginx,httpd_t,var_run_t,sock_file,write audit2allow #============= httpd_t ============== allow httpd_t var_run_t:sock_file write; audit2allow -R require { type var_run_t; type httpd_t; class sock_file write; } #============= httpd_t ============== allow httpd_t var_run_t:sock_file write; Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.3-201.fc18.x86_64 type: libreport
What does # ps -efZ |grep thin
# ps -efZ |grep thin system_u:system_r:thin_t:s0 renich 919 1 25 08:23 ? 00:00:01 /usr/bin/ruby /usr/local/bin/thin -C /etc/thin/junkets.evalinux.com.yml start unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1051 952 0 08:23 pts/0 00:00:00 grep --color=auto thin
I can send you the app if you like. The way to reproduce is: - create a /etc/tmpfs.d/thin.conf file so /run/thin gets created (systemd-tmpfs.d --create or something) - put a socket (in my case, from thin) in /run/thin - configure nginx to read/write it If you need help, let me konw.
I added fixes.
selinux-policy-3.11.1-98.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-98.fc18
Package selinux-policy-3.11.1-98.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-98.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11859/selinux-policy-3.11.1-98.fc18 then log in and leave karma (feedback).
Well, since it's 3.12.1-63 already, I can't install. Should I force the install?
3.12.1-63 is for Fedora 19. This bug is about Fedora 18.
selinux-policy-3.11.1-98.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.