I have Django application running on RHEL8 via Gunicorn and nginx. All works fine in case of testing with SELinux disabled. When I enable SELinux, there is a problem with saving the picture from Website form i got Server Error (500).
Looking into SEL logs:
audit2why:
type=AVC msg=audit(1692276970.763:137): avc: denied { add_name } for pid=1022 comm="gunicorn" name="29fda977-925d-490a-bf01-1d57bca5b02d.jpeg" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Example context for dir where photo is saved:
drwxr-xr-x. 2 user nginx system_u:object_r:httpd_sys_rw_content_t:s0 104 Dec 1 2021 photo
More logs in /var/log/messages
Aug 17 14:56:17 webserver setroubleshoot[2249]: SELinux is preventing gunicorn from add_name access on the directory 29fda977-925d-490a-bf01-1d57bca5b02d.jpeg. For complete SELinux messages run: sealert -l 09af96cb-e073-4d2f-bcb5-8756e98df308
Aug 17 14:56:17 webserver setroubleshoot[2249]: SELinux is preventing gunicorn from add_name access on the directory 29fda977-925d-490a-bf01-1d57bca5b02d.jpeg.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that gunicorn should be allowed add_name access on the 29fda977-925d-490a-bf01-1d57bca5b02d.jpeg directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn#012# semodule -X 300 -i my-gunicorn.pp#012
I tried the steps above, but still no luck. What is wrong here? How to debug?
