Selinux blocks files served by caddy file_server

1. Caddy version (caddy version):

2.3.0

2. How I run Caddy:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]

User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

a. System environment:

Centos 8

b. Command:

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

staticpages.middleaware.dk {

        root * /srv/pages/domain/static
        file_server

}

3. The problem I’m having:

When running caddy from systemd with selinux enforcing, file_server cannot serve files. Audit2allow can generate a policy, but is this the correct “fix” to add a policy? I would expect caddy to be able to serve files while enforcing selinux, with default policies.

4. Error messages and/or full log output:

type=AVC msg=audit(1618680460.281:57): avc:  denied  { getattr } for  pid=1181 comm="caddy" path=/srv/pages/domain/static/favicon.png" dev="vda1" ino=310390180 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0

5. What I already tried:

Running audit2allow, it generates following policy:

module caddylocal 1.0;

require {
        type var_t;
        type httpd_t;
        type sysctl_net_t;
        class file { getattr read };
}

6. Links to relevant resources:

This topic was automatically closed after 30 days. New replies are no longer allowed.