Please use this template for troubleshooting questions.
My issue:
NGINX starts and runs normally when SELinux is set to permissive.
After switching SELinux to enforcing mode, the NGINX service fails to start with Permission denied (13) errors while binding to non-standard TCP ports.
No NGINX configuration changes or OS package updates were made other than changing the SELinux mode.
Error observed
nginx: [emerg] bind() to <IP>:5001 failed (13: Permission denied)
SELinux AVC details
NGINX is running under the httpd_t domain, and SELinux denies binding to custom ports such as:
-
TCP 5001
-
TCP 7050
Environment details
-
OS: Red Hat Enterprise Linux 8.10
-
SELinux: Enabled, enforcing (targeted policy)
-
NGINX version: nginx-1.22.1-1.el8.ngx.x86_64
-
NGINX package source: Official NGINX (F5) repository
Questions / Clarification requested
-
Is the observed behavior—NGINX failing to bind to non-standard TCP ports when SELinux is set to enforcing—expected behavior when using the official NGINX packages on RHEL systems?
-
For NGINX running under the
httpd_tSELinux domain, is assigning custom listening ports using the following command the recommended and supported approach?semanage port -a -t http_port_t -p tcp <custom_port> -
Are there any NGINX-specific SELinux policies, modules, or configuration guidelines provided or recommended by NGINX/F5 when NGINX is required to listen on multiple non-standard ports?