nginx reverse proxy - permission to connect on port 8080 denied

[codingsafari]

Hi,

I have problems getting a nginx reverse proxy set up. When I examine the audit logs, I see this:

Code: Select all

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | tail -n 2

type=AVC msg=audit(1581877569.448:81): avc:  denied  { name_connect } for  pid=798 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1581878362.267:181): avc:  denied  { name_connect } for  pid=798 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1

After doing some research I run below commands to get insights in the system configuration:

Processes

Code: Select all

ps aux | grep nginx

root       786  0.0  0.1 128132  2284 ?        Ss   19:26   0:00 nginx: master process /usr/sbin/nginx
nginx      787  0.0  0.4 159068  7584 ?        S    19:26   0:00 nginx: worker process
codings+  4823  0.0  0.0  12108   984 pts/0    R+   19:28   0:00 grep --color=auto nginx

Permission

Code: Select all

sudo ls -la /var/lib/nginx/

total 12
drwxrwx---.  3 nginx nginx 4096 Oct  7 21:17 .
drwxr-xr-x. 28 root  root  4096 Feb 10 11:50 ..
drwxrwx---.  7 nginx nginx 4096 Oct  7 21:17 tmp

Code: Select all

cat /etc/passwd | grep nginx

nginx:x:995:992:Nginx web server:/var/lib/nginx:/sbin/nologin

SELinux

Code: Select all

sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

httpd

Code: Select all

getsebool -a | grep httpd

httpd_anon_write --> on
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off

Firewall

Code: Select all

sudo firewall-cmd --state

running

Code: Select all

sudo firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client http https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[TrevorH]

Clear your audit log by running service auditd rotate and either move the older files elsewhere or delete them.
Set your system into permissive mode by running setenforce 0 or you will only see the first denial and create a new policy for it and then have to repeat it for the next denial. Doing so in permissive will let you see all of them at once.
Recreate the problem
Run grep -i avc /var/log/audit/audit.log | audit2allow -M mynginx
Check the contents of mynginx.te for things that do not like they have anything to do with nginx access to this port.
If all looks ok then you can semodule -i mynginx.pp

If the .te file appears to contain anything you do not want to allow then see our wiki entry on the procedure above which details how to amend the .te file and rebuild the .pp from it. Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fed ... ced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/se ... licy-guide | http://freecomputerbooks.com/The-SELinu ... tions.html

Run setenforce 1 to go back to enforcing mode and check everything still works. A reboot will also flip it back to enforcing mode.

[codingsafari]

Hi Trevor,

thanks for your quick reply. I followed your instructions but I get an error:

Code: Select all

$ sudo grep -i avc /var/log/audit/audit.log | audit2allow -M mynginx
compilation failed:
mynginx.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
$ cat mynginx.te

module mynginx 1.0;

I will read trough the material you have provided though. Maybe I understand it at some point.

Thanks

[TrevorH]

Just run the grep on its own and see what you get. By the looks of that, there were no avc lines in the audit log so it didn't have anything to work on.

[codingsafari]

Not entirely sure how but the issue disappeared. I don't know what it was, I did so many things. I guess this can be closed.

[aks]

echo 'type=AVC msg=audit(1581877569.448:81): avc: denied { name_connect } for pid=798 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=0' | audit2allow


#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
# httpd_can_network_connect, httpd_can_network_relay
allow httpd_t http_cache_port_t:tcp_socket name_connect;
(just for future browsers)