Solved SELinux blocking Nginx by default on Fedora 27

JaredBusch

Setup a new Fedora 27 instance to run NginX for reverse proxy purposes.

The inbound connection works because the rewrite from HTTP to HTTPS happens, but then I get a 502 Gateway error.

Turn of SELinux and poof it works.

[root@proxy ~]# sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing nginx from name_connect access on the tcp_socket port 80.

*****  Plugin catchall_boolean (24.7 confidence) suggests   ******************

If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.

Do
setsebool -P httpd_can_network_connect 1

*****  Plugin catchall_boolean (24.7 confidence) suggests   ******************

If you want to allow httpd to graceful shutdown
Then you must tell SELinux about this by enabling the 'httpd_graceful_shutdown' boolean.

Do
setsebool -P httpd_graceful_shutdown 1

*****  Plugin catchall_boolean (24.7 confidence) suggests   ******************

If you want to allow httpd to can network relay
Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean.

Do
setsebool -P httpd_can_network_relay 1

*****  Plugin catchall_boolean (24.7 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (3.53 confidence) suggests   **************************

If you believe that nginx should be allowed name_connect access on the port 80 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -X 300 -i my-nginx.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:http_port_t:s0
Target Objects                port 80 [ tcp_socket ]
Source                        nginx
Source Path                   nginx
Port                          80
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.26.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     proxy.domain.local
Platform                      Linux proxy.domain.local
                              4.15.6-300.fc27.x86_64 #1 SMP Mon Feb 26 18:43:03
                              UTC 2018 x86_64 x86_64
Alert Count                   13
First Seen                    2018-03-10 18:12:18 CST
Last Seen                     2018-03-10 19:05:46 CST
Local ID                      26719030-f7a3-46b5-9e8b-2f4026f189f7

Raw Audit Messages
type=AVC msg=audit(1520730346.584:185): avc:  denied  { name_connect } for  pid=626 comm="nginx" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0


Hash: nginx,httpd_t,http_port_t,tcp_socket,name_connect

JaredBusch

The first suggestion from sealert works.

setsebool -P httpd_can_network_connect 1

and then it all works.

JaredBusch

This behavior is different than the last time I setup a reverse proxy like this. But that was also on CentOS 7 and not Fedora. So policy could be different.