Nginx -t & SELinux issue

BlueNomad · September 15, 2023, 5:51pm

Hello!

I’m fairly new to the RHEL side of things and I’m setting up a new web server with Ansible.

I’ve run into this issue:

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 0.0.0.0:443 failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed

My SELinux user/role/type is:

id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

sudo -s
id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

/etc/nginx data:

sudo ls -lZ /etc/nginx/
total 44
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 15 14:45 conf.d
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 12 18:52 default.d
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 1007 Apr 11 18:23 fastcgi_params
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 5349 Apr 11 18:23 mime.types
lrwxrwxrwx. 1 root root system_u:object_r:httpd_config_t:s0   29 Apr 11 18:23 modules -> ../../usr/lib64/nginx/modules
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  693 Sep 15 14:41 nginx.conf
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  648 Sep 15 14:08 nginx.conf.99950.2023-09-15@14:14:35~
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  636 Apr 11 18:23 scgi_params
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 15 14:40 sites-available
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 15 14:28 sites-enabled
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  664 Apr 11 18:23 uwsgi_params

It works when I don’t have any server blocks, but once I do, it’s either binding to port 80 or 443 and afaik those require root access and sudo isn’t cutting it.

Any help is greatly appreciated!

nazunalika · September 16, 2023, 12:41am

How are you configuring the system and installing nginx? By default, nginx and httpd are both setup to be allowed to fork processes from root to nginx/apache and run on port 80 and 443 without any intervention.

BlueNomad · September 17, 2023, 12:04am

Hey,

I’m using Ansible but I’m not doing anything crazy (I think). I’m installing the stable package, 1.24.0.

It works fine until I add the server block. If I delete that, I’m able to run the command. Even a block like

server {

}

stops it working, with no other settings changed. I’ve put that into the nginx.conf file just in case it was something like the symlink in sites-enabled messing it up, but no joy.

I have a simple HTML file and that is getting served fine, so Nginx should have the right permissions for that.

Oh and I disabled SELinux as it’s a test server I’m playing with. It worked then.

It also worked after I reset the system and didn’t change my SELinux data, so it was left as

id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I’m running

sudo journalctl -f

and then triggering the error but that’s not showing anything about it. I’m getting some errors from setroubleshoot for other things, though.

The issue seems to be

staff_u:sysadm_r:sysadm_t

but I have no idea why. I have followed Chapter 3. Managing confined and unconfined users Red Hat Enterprise Linux 9 | Red Hat Customer Portal.

Here’s my sudoer rule, just in case the issue is with how I’m using sudo:

username ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL

BlueNomad · September 21, 2023, 10:23am

I guess it’s a tricky one. I’ll try the RedHat community and Reddit as well and I’ll update this if I’m able to reach a solution, just in case anyone else comes across this

BlueNomad · October 6, 2023, 5:08pm

I’ve finally got something to go on, now I’ve disabled the ‘dontaudit’ rule.

The error is:

time->Fri Oct  6 17:02:35 2023
type=PROCTITLE msg=audit(1696611755.583:1149): proctitle=7375646F006E67696E78002D74
type=PATH msg=audit(1696611755.583:1149): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=8668 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1696611755.583:1149): cwd="/home/USERNAME"
type=EXECVE msg=audit(1696611755.583:1149): argc=3 a0="sudo" a1="nginx" a2="-t"
type=SYSCALL msg=audit(1696611755.583:1149): arch=c000003e syscall=59 success=yes exit=0 a0=56233d0695a0 a1=56233d1800a0 a2=56233cffae40 a3=8 items=1 ppid=6128 pid=11286 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=3 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1696611755.583:1149): avc:  denied  { siginh } for  pid=11286 comm="sudo" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1696611755.583:1149): avc:  denied  { rlimitinh } for  pid=11286 comm="sudo" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1696611755.583:1149): avc:  denied  { noatsecure } for  pid=11286 comm="bash" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tclass=process permissive=0

I think the important part is that it seems to be running as

staff_u:staff_r:staff_t:s0-s0:c0.c1023

and not

staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

BlueNomad · October 11, 2023, 11:07pm

If anyone comes across this with a similar issue, you can read more at redhat - SELinux blocking nginx -t - Server Fault.

system · December 10, 2023, 11:07pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.