SELinux blocking Nginx by default on Fedora 27



  • Setup a new Fedora 27 instance to run NginX for reverse proxy purposes.

    The inbound connection works because the rewrite from HTTP to HTTPS happens, but then I get a 502 Gateway error.

    Turn of SELinux and poof it works.

    [root@proxy ~]# sealert -a /var/log/audit/audit.log
    100% done
    found 1 alerts in /var/log/audit/audit.log
    --------------------------------------------------------------------------------
    
    SELinux is preventing nginx from name_connect access on the tcp_socket port 80.
    
    *****  Plugin catchall_boolean (24.7 confidence) suggests   ******************
    
    If you want to allow httpd to can network connect
    Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.
    
    Do
    setsebool -P httpd_can_network_connect 1
    
    *****  Plugin catchall_boolean (24.7 confidence) suggests   ******************
    
    If you want to allow httpd to graceful shutdown
    Then you must tell SELinux about this by enabling the 'httpd_graceful_shutdown' boolean.
    
    Do
    setsebool -P httpd_graceful_shutdown 1
    
    *****  Plugin catchall_boolean (24.7 confidence) suggests   ******************
    
    If you want to allow httpd to can network relay
    Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean.
    
    Do
    setsebool -P httpd_can_network_relay 1
    
    *****  Plugin catchall_boolean (24.7 confidence) suggests   ******************
    
    If you want to allow nis to enabled
    Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
    
    Do
    setsebool -P nis_enabled 1
    
    *****  Plugin catchall (3.53 confidence) suggests   **************************
    
    If you believe that nginx should be allowed name_connect access on the port 80 tcp_socket by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'nginx' --raw | audit2allow -M my-nginx
    # semodule -X 300 -i my-nginx.pp
    
    Additional Information:
    Source Context                system_u:system_r:httpd_t:s0
    Target Context                system_u:object_r:http_port_t:s0
    Target Objects                port 80 [ tcp_socket ]
    Source                        nginx
    Source Path                   nginx
    Port                          80
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.26.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     proxy.domain.local
    Platform                      Linux proxy.domain.local
                                  4.15.6-300.fc27.x86_64 #1 SMP Mon Feb 26 18:43:03
                                  UTC 2018 x86_64 x86_64
    Alert Count                   13
    First Seen                    2018-03-10 18:12:18 CST
    Last Seen                     2018-03-10 19:05:46 CST
    Local ID                      26719030-f7a3-46b5-9e8b-2f4026f189f7
    
    Raw Audit Messages
    type=AVC msg=audit(1520730346.584:185): avc:  denied  { name_connect } for  pid=626 comm="nginx" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
    
    
    Hash: nginx,httpd_t,http_port_t,tcp_socket,name_connect
    


  • The first suggestion from sealert works.

    setsebool -P httpd_can_network_connect 1
    

    and then it all works.



  • The first suggestion from sealert works.

    setsebool -P httpd_can_network_connect 1
    

    and then it all works.



  • This behavior is different than the last time I setup a reverse proxy like this. But that was also on CentOS 7 and not Fedora. So policy could be different.