How to allow nginx to connect to a systemd created socket file

Posted on

I'm creating a systemd socket listener with:

/etc/systemd/system/gunicorn@.socket:
[Unit]
Description=gunicorn socket for %i

[Socket]
EnvironmentFile=/etc/gunicorn.d/%i.conf
ListenStream=/run/gunicorn/%i.sock

Our service won't need permissions for the socket, since it

inherits the file descriptor by socket activation

only the nginx daemon will need access to the socket

SocketUser=nginx

Optionally restrict the socket permissions even more.

SocketMode=600

[Install]
WantedBy=sockets.target

However, nginx is denied permission to connect to it with:

type=AVC msg=audit(1716583630.833:4674): avc: denied { connectto } for pid=37395 comm="nginx" path="/run/gunicorn/forms-dev.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0

Should this be allowed by default? Is there some way to make the listener a different context other than initrc_t?

Responses