Refs #30803: Allow Apache to connect to Unix socket

theforeman · Oct 1, 2020 · 27caf1c · 27caf1c
1 parent e7b3179
commit 27caf1c
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/foreman-selinux-relabel b/foreman-selinux-relabel
@@ -5,6 +5,7 @@
   /var/lib/foreman \
   /var/run/foreman \
   /run/foreman \
+  /run/foreman.sock \
   /var/log/foreman \
   /etc/foreman \
   /etc/puppet/node.rb \

diff --git a/foreman.fc b/foreman.fc
@@ -30,6 +30,7 @@
 /var/log/foreman(/.*)?                              gen_context(system_u:object_r:foreman_log_t,s0)
 
 /var/run/foreman(/.*)?                              gen_context(system_u:object_r:foreman_var_run_t,s0)
+/run/foreman.sock                                   gen_context(system_u:object_r:foreman_var_run_t,s0)
 
 /usr/share/foreman/.ssh(/.*)?                       gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/share/foreman/extras/noVNC/websockify\.py      gen_context(system_u:object_r:websockify_exec_t,s0)

diff --git a/foreman.te b/foreman.te
@@ -241,6 +241,10 @@ allow foreman_rails_t self:udp_socket { all_udp_socket_perms };
 allow foreman_rails_t self:unix_dgram_socket { all_unix_dgram_socket_perms };
 corenet_tcp_bind_generic_node(foreman_rails_t)
 
+# Allow Apache access to the Unix socket
+allow foreman_rails_t httpd_var_run_t:dir search;
+allow httpd_t foreman_rails_t:unix_stream_socket { connectto getattr read write };
+
 # Listening for HTTP communication on port 3000
 corenet_tcp_bind_ntop_port(foreman_rails_t)
 corenet_tcp_connect_ntop_port(foreman_rails_t)