I’m testing deploying Discourse on top of the CentOS-derived AlmaLinux 9 with SELinux enabled and external nginx configured.
Because the Ubuntu-based container doesn’t know about SELinux, it keeps replacing the unix domain socket with a new file that is not security labeled every time I start the container, and nginx isn’t allowed to talk to it until I
restorecon the file to give it a security context that nginx is allowed to access. Obviously that doesn’t work as a production solution.
I don’t really want to
semanage permissive -a httpd_t because I’d like to actually take advantage of SELinux on the one service that’s actually open to the outside world.
It works if I proxy to a network port instead of to a unix domain socket:
setsebool -P httpd_can_network_connect 1
- do not use
- `expose: - “8008:80”
- In the external nginx,
Are there any particular downsides to this? Ought I to change any parameters like connection limiting in this configuration?
I’ll write this up in more detail as documentation after more thorough testing, and if there are additional concerns I can include that in what I write up.