Nginx -t & SELinux issue

Hello!

I’m fairly new to the RHEL side of things and I’m setting up a new web server with Ansible.

I’ve run into this issue:

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 0.0.0.0:443 failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed

My SELinux user/role/type is:

id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

sudo -s
id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

/etc/nginx data:

sudo ls -lZ /etc/nginx/
total 44
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 15 14:45 conf.d
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 12 18:52 default.d
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 1007 Apr 11 18:23 fastcgi_params
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 5349 Apr 11 18:23 mime.types
lrwxrwxrwx. 1 root root system_u:object_r:httpd_config_t:s0   29 Apr 11 18:23 modules -> ../../usr/lib64/nginx/modules
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  693 Sep 15 14:41 nginx.conf
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  648 Sep 15 14:08 nginx.conf.99950.2023-09-15@14:14:35~
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  636 Apr 11 18:23 scgi_params
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 15 14:40 sites-available
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 4096 Sep 15 14:28 sites-enabled
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  664 Apr 11 18:23 uwsgi_params

It works when I don’t have any server blocks, but once I do, it’s either binding to port 80 or 443 and afaik those require root access and sudo isn’t cutting it.

Any help is greatly appreciated!

How are you configuring the system and installing nginx? By default, nginx and httpd are both setup to be allowed to fork processes from root to nginx/apache and run on port 80 and 443 without any intervention.

Hey,

I’m using Ansible but I’m not doing anything crazy (I think). I’m installing the stable package, 1.24.0.

It works fine until I add the server block. If I delete that, I’m able to run the command. Even a block like

server {

}

stops it working, with no other settings changed. I’ve put that into the nginx.conf file just in case it was something like the symlink in sites-enabled messing it up, but no joy.

I have a simple HTML file and that is getting served fine, so Nginx should have the right permissions for that.

Oh and I disabled SELinux as it’s a test server I’m playing with. It worked then.

It also worked after I reset the system and didn’t change my SELinux data, so it was left as

id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I’m running

sudo journalctl -f

and then triggering the error but that’s not showing anything about it. I’m getting some errors from setroubleshoot for other things, though.

The issue seems to be

staff_u:sysadm_r:sysadm_t

but I have no idea why. I have followed Chapter 3. Managing confined and unconfined users Red Hat Enterprise Linux 9 | Red Hat Customer Portal.

Here’s my sudoer rule, just in case the issue is with how I’m using sudo:

username ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL

I guess it’s a tricky one. I’ll try the RedHat community and Reddit as well and I’ll update this if I’m able to reach a solution, just in case anyone else comes across this