I have a Discourse instance proxied behind Apache and communicating over a socket, as described here.
I have SELinux enabled, so in order to give httpd permission to use the socket, I’ve given the socket a context where httpd has read-write permission, as advised:
semanage fcontext -a -t httpd_sys_rw_content_t /var/discourse/shared/standalone/nginx.http.sock restorecon /var/discourse/shared/standalone/nginx.http.sock
This works. It’s great!
(Aside: Would a more appropriate context be
httpd_var_run_t, as the socket itself isn’t content and this is the context used by httpd for other runtime infrastructure?)
However, whenever the Discourse container is restarted the socket file is recreated with its original context, not the new one—hence I have to
restorecon it before Apache can talk to Discourse. It’s easy to forget to do this and end up with an inaccessible forum. It occurred to me that I could use a cron script to run
restorecon periodically so I don’t have to remember to do it manually, but that’s an ugly hack.
How can I ensure that the socket file gets the correct context on creation (or at least has its context reset as part of the creation process)?