I’m running NGINX with the option ssl_stapling on. It attempts to make a connection to an OCSP responder’s port 80, which is denied by SELinux.
From documentations [1] [2], it seems that the best way is to enable httpd_can_network_connect boolean. However the boolean contains many rules, and I only really need this one: allow httpd_t http_port_t : tcp_socket name_connect ;
Is it possible to use only that allow rule, without having to recompile the policy?
Also, the top answer here says Apache server is allowed access to http_port_t? I think both Apache and NGINX are httpd type? But my NGINX server is not allowed to port 80:
avc: denied { name_connect } for pid=12345 comm=“nginx” dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0