SELinux blocking nginx -t

Latest response

Hello!

I’m fairly new to the RHEL side of things and I’m setting up a new web server with Ansible.

I’ve run into this issue:

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 0.0.0.0:443 failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed

My SELinux user/role/type is:

id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

sudo -s
id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

/etc/nginx data:

sudo ls -lZ /etc/nginx/
total 44
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 15 14:45 conf.d
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 12 18:52 default.d
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 1007 Apr 11 18:23 fastcgi_params
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 5349 Apr 11 18:23 mime.types
lrwxrwxrwx. 1 root root system_u:object_r:httpd_config_t:s0   29 Apr 11 18:23 modules -> ../../usr/lib64/nginx/modules
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  693 Sep 15 14:41 nginx.conf
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  648 Sep 15 14:08 nginx.conf.99950.2023-09-15@14:14:35~
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  636 Apr 11 18:23 scgi_params
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 15 14:40 sites-available
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 15 14:28 sites-enabled
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  664 Apr 11 18:23 uwsgi_params

It works fine until I add the server block. If I delete that, I’m able to run the command. Even a block like

server {

}

stops it working, with no other settings changed. I’ve put that into the nginx.conf file just in case it was something like the symlink in sites-enabled messing it up, but no joy.

I have a simple HTML file and that is getting served fine, so Nginx should have the right permissions for that.

Oh and I disabled SELinux as it’s a test server I’m playing with. It worked then. It also worked after I reset the system and didn’t change my SELinux data, so it was left as

id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I’m running

sudo journalctl -f

and then triggering the error but that’s not showing anything about it. I’m getting some errors from setroubleshoot for other things, though.

The issue seems to be with sudo and staff_u:sysadm_r:sysadm_t but I have no idea why. I have followed the Red Hat docs for setting up sudo.

Here’s my sudoer rule, just in case the issue is with how I’m using sudo:

username ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL

Any help is greatly appreciated!

SC

Responses