proxy_pass isn't working when SELinux is enabled, why?

Worth noting for beginners in SELinux that if your proxied service is running on 8080, you can use the command below without compiling a policy.

$ sudo setsebool httpd_can_network_connect 1 -P

Read about audit2allow and used it to create a policy to allow access to the denied requests for Nginx.

Step 1 involves running audit2allow targeting nginxlocalconf:

$ sudo grep nginx /var/log/audit/audit.log | \
     grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te

Step 2, review results:

$ cat nginxlocalconf.te 

module nginxlocalconf 1.0;

require {
    type httpd_t;
    type var_t;
    type transproxy_port_t;
    class tcp_socket name_connect;
    class file { read getattr open };
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t transproxy_port_t:tcp_socket name_connect;
allow httpd_t var_t:file { read getattr open };

Review steps to activate:

$ sudo grep nginx /var/log/audit/audit.log | grep denied | \
   audit2allow -M nginxlocalconf
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i nginxlocalconf.pp

Step 3, active:

$ sudo semodule -i nginxlocalconf.pp

If you have another port or custom port allow it:

Show allow port in http:

semanage port -l | grep http

This is output in my localhost:

http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

And allow 8081:

semanage port -a -t http_port_t -p tcp 8081

proxy_pass isn't working when SELinux is enabled, why?

Tags:

Nginx

Reverse Proxy

Selinux

Related

Recent Posts