Fighting with SELinux

shell.txt

$ sudo less /var/log/audit/audit.log
type=AVC msg=audit(1491373484.821:743): avc:  denied  { connectto } for  pid=1643 comm="nginx" path="/run/tsubonesystem3/tsubonesystem3.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1491373484.821:743): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7fd3e984f760 a2=6e a3=7ffe30bc59d0 items=0 ppid=1642 pid=1643 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
$ sudo ls -Za /run/tsubonesystem3
drwxr-xr-x. tsubonesystem tsubonesystem system_u:object_r:httpd_var_run_t:s0 .
drwxr-xr-x. root          root          system_u:object_r:var_run_t:s0   ..
srw-rw----. tsubonesystem tsubonesystem system_u:object_r:httpd_var_run_t:s0 tsubonesystem3.sock
$ ps -ZC nginx
LABEL                             PID TTY          TIME CMD
system_u:system_r:httpd_t:s0     1642 ?        00:00:00 nginx
system_u:system_r:httpd_t:s0     1643 ?        00:00:00 nginx
$ sesearch --allow -s httpd_t -t httpd_var_run_t
Found 9 semantic av rules:
   allow nsswitch_domain pidfile : dir { getattr search open } ; 
   allow domain pidfile : sock_file { write getattr append open } ; 
   allow httpd_t httpd_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow httpd_t httpd_var_run_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow httpd_t file_type : filesystem getattr ; 
   allow httpd_t file_type : dir { getattr search open } ; 
   allow httpd_t httpd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow nsswitch_domain pidfile : dir { getattr search open } ; 
   allow nsswitch_domain pidfile : dir { getattr search open } ;