22

I'm having an application listening on port 8081 and Nginx running on port 8080. The proxy pass statement looks like:

$ cat /var/etc/opt/lj/output/services/abc.servicemanager.conf

location /api/abc.servicemanager/1.0 { proxy_pass     http://localhost:8081;}

In nginx.conf, I include this file as:

include /etc/nginx/conf.d/services/*.conf;

The /etc/nginx/conf.d/service is a symlink: 

# ll /etc/nginx/conf.d/

lrwxrwxrwx. 1 root root   39 Dec 10 00:19 services -> ../../../var/etc/opt/lj/output/services

This is a CentOS 7.0 SELinux Enabled system. If I setenforce 0, and make it Permissive, I don't see any issues. So the file is in right place and no issues with paths. If SELinux is enforcing, I see the following in audit log:

type=AVC msg=audit(1418348761.372:100930): avc:  denied  { getattr } for  pid=3936 comm="nginx" path="/var/etc/opt/lj/output/services/abc.servicemanager.conf" dev="xvda1" ino=11063393 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

I want to know how to enable Nginx to find the conf file without having to disable SELinux.

slm
  • 15,396
  • 12
  • 109
  • 124
Vijay Shankar Kalyanaraman
  • 917
  • 3
  • 9
  • 16

4 Answers4

44

Worth noting for beginners in SELinux that if your proxied service is running on 8080, you can use the command below without compiling a policy.

$ sudo setsebool httpd_can_network_connect 1 -P
slm
  • 15,396
  • 12
  • 109
  • 124
Cristian Romanescu
  • 625
  • 5
  • 7
32

Read about audit2allow and used it to create a policy to allow access to the denied requests for Nginx.

Step 1 involves running audit2allow targeting nginxlocalconf:

$ sudo grep nginx /var/log/audit/audit.log | \
     grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te

Step 2, review results:

$ cat nginxlocalconf.te 

module nginxlocalconf 1.0;

require {
    type httpd_t;
    type var_t;
    type transproxy_port_t;
    class tcp_socket name_connect;
    class file { read getattr open };
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t transproxy_port_t:tcp_socket name_connect;
allow httpd_t var_t:file { read getattr open };

Review steps to activate:

$ sudo grep nginx /var/log/audit/audit.log | grep denied | \
   audit2allow -M nginxlocalconf
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i nginxlocalconf.pp

Step 3, active:

$ sudo semodule -i nginxlocalconf.pp
slm
  • 15,396
  • 12
  • 109
  • 124
Vijay Shankar Kalyanaraman
  • 917
  • 3
  • 9
  • 16
  • i follow this step by step and it works. great. but i have no idea what I did. wondering where i can learn more about this. – Ppp Apr 03 '19 at 10:56
6

If you have another port or custom port allow it:

Show allow port in http:

semanage port -l | grep http

This is output in my localhost:

http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

And allow 8081:

semanage port -a -t http_port_t -p tcp 8081
reformed
  • 4,505
  • 11
  • 62
  • 88
denzfarid
  • 61
  • 1
  • 1
  • Is it really about the port? I think SELinux was denying him access to the config file: `... { getattr } .. path="......."...`. Please correct me if I'm wrong. – Ayman Nedjmeddine Apr 18 '17 at 11:56
4

Always prefer changing types to creating custom policies. In this case, Nginx will serve files with the httpd_sys_content_t type. Assuming your files are located in /var/www:

semanage fcontext -a -t httpd_sys_content_t /var/www/*
restorecon -R -v /var/www
e18r
  • 7,578
  • 4
  • 45
  • 40