50

I'm struggling with some strange permission related behavior: when I configure nginx to listen to port 8080 everything works as expected, but when I use any other port I get something like

2014/01/10 09:20:02 [emerg] 30181#0: bind() to 0.0.0.0:8090 failed (13: Permission denied)

in /var/log/nginx/error.log

I have no clue where to look at so I don't really know what parts of the configuration might be interesting.

in nginx.conf nginx is configured to run as nginx:

user  nginx;

Also user nginx is in another group 'git'

in the site-config I tried to listen like this:

server {
    listen 8090; #does not work
    #listen 8080; #works
    #listen 9090; #does not work
    #listen 9090 default; #does not work neighter
    #listen 80; #works!
    server_name <some IP>;
    ...
}

I have only one more listener which serves port 443.

When I start some other service e.g. a SimpleHTTPServer on port 8090 etc. as non-root everything works fine:

$ python -m SimpleHTTPServer 8090
Serving HTTP on 0.0.0.0 port 8090 ...
localhost.localdomain - - [10/Jan/2014 09:34:19] "GET / HTTP/1.1" 200 -

What can the reasons be for denied permissions in general?

System is Fedora 18 ngnix is stock fedora 1.2.9

frans
  • 619
  • 1
  • 7
  • 10

1 Answers1

81

This will most likely be related to SELinux

semanage port -l | grep http_port_t
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

As you can see from the output above with SELinux in enforcing mode http is only allowed to bind to the listed ports. The solution is to add the ports you want to bind on to the list

semanage port -a -t http_port_t  -p tcp 8090

will add port 8090 to the list.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • 1
    that's been it, thanks! But why is there so few information? I would guess other people use Fedora with SELinux, too.. – frans Jan 10 '14 at 09:06
  • 1
    @frans: There is plenty of information, you're just not aware of it or how to access and use it. If you have SELiux in enforcing or permissive mode then all denials are logged to /var/log/audit.log. There are tools available that allow you to filter, understand and manage the information and SELinux policy - have a look at the [fedora seliux pages](http://fedoraproject.org/wiki/SELinux) and the manpages for ausearch, audit2why, audit2allow. – user9517 Jan 10 '14 at 09:19
  • 1
    If you get `semanage: command not found`, you can install it with `yum install policycoreutils-python`. – mwfearnley Sep 28 '18 at 15:27
  • 1
    8080 is not listed for http_port_t but still it works, any idea why ? – MaxiWheat Oct 09 '19 at 15:05
  • @mwfearnley, plz mention the centos version you have tried to resolve the `semanege: command not found` issue in your comment to make sure users using correct package name. For centos 8 `semanage` provided by this command `yum install -y policycoreutils-python-utils` – S.K. Venkat Nov 19 '20 at 18:45
  • 1
    @S.K.Venkat thanks. It would have been CentOS 7; 8 wasn’t out then. Maybe I should have just suggested `yum provides semanage`... – mwfearnley Nov 19 '20 at 18:50