I'm setting up Rocky Linux and I've run into this error:
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
My user's SELinux information is:
id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
sudo -s
id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
My sudoer rule:
USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: ALL
After having trouble getting any errors logged, I disabled the 'dontaudit' rules and got:
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
time->Fri Oct 6 17:02:35 2023
type=PROCTITLE msg=audit(1696611755.583:1149): proctitle=7375646F006E67696E78002D74
type=PATH msg=audit(1696611755.583:1149): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=8668 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1696611755.583:1149): cwd="/home/USERNAME"
type=EXECVE msg=audit(1696611755.583:1149): argc=3 a0="sudo" a1="nginx" a2="-t"
type=SYSCALL msg=audit(1696611755.583:1149): arch=c000003e syscall=59 success=yes exit=0 a0=56233d0695a0 a1=56233d1800a0 a2=56233cffae40 a3=8 items=1 ppid=6128 pid=11286 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=3 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1696611755.583:1149): avc: denied { siginh } for pid=11286 comm="sudo" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1696611755.583:1149): avc: denied { rlimitinh } for pid=11286 comm="sudo" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1696611755.583:1149): avc: denied { noatsecure } for pid=11286 comm="bash" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tclass=process permissive=0
It seems to be running as
staff_u:staff_r:staff_t:s0-s0:c0.c1023
and not
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
I'm far from an expert when it comes to this so any help is greatly appreciated!
As requested:
audit2allow -a
#============= chkpwd_t ==============
allow chkpwd_t user_devpts_t:chr_file { read write };
#============= init_t ==============
allow init_t unconfined_service_t:process siginh;
#============= staff_sudo_t ==============
allow staff_sudo_t chkpwd_t:process { noatsecure rlimitinh siginh };
allow staff_sudo_t self:capability net_admin;
allow staff_sudo_t shadow_t:file read;
allow staff_sudo_t sysadm_t:process { noatsecure rlimitinh siginh };
#============= staff_t ==============
allow staff_t staff_sudo_t:process { noatsecure rlimitinh siginh };
#============= sysadm_t ==============
allow sysadm_t http_port_t:tcp_socket name_bind;
sudo ls -Z /etc/nginx
system_u:object_r:httpd_config_t:s0 conf.d
system_u:object_r:httpd_config_t:s0 fastcgi_params
system_u:object_r:httpd_config_t:s0 mime.types
system_u:object_r:httpd_config_t:s0 modules
system_u:object_r:httpd_config_t:s0 nginx.conf
system_u:object_r:httpd_config_t:s0 scgi_params
system_u:object_r:httpd_config_t:s0 uwsgi_params
sudo ls -Z /etc/nginx/conf.d
system_u:object_r:httpd_config_t:s0 default.conf
audit2allow -a
please?