SELinux: Allow httpd to connect to http_port_t type port

I’m running NGINX with the option ssl_stapling on. It attempts to make a connection to an OCSP responder’s port 80, which is denied by SELinux.
From documentations [1] [2], it seems that the best way is to enable httpd_can_network_connect boolean. However the boolean contains many rules, and I only really need this one: allow httpd_t http_port_t : tcp_socket name_connect ;

Is it possible to use only that allow rule, without having to recompile the policy?

Also, the top answer here says Apache server is allowed access to http_port_t? I think both Apache and NGINX are httpd type? But my NGINX server is not allowed to port 80:

avc: denied { name_connect } for pid=12345 comm=“nginx” dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

1 Like

Passing the AVC message to audit2allow shows several boolean including this one:

> sesearch -A -b httpd_graceful_shutdown
allow httpd_t http_port_t:tcp_socket name_connect; [ httpd_graceful_shutdown ]:True

It seems to work for me:

sudo semanage boolean -m -1 httpd_graceful_shutdown
1 Like