nginx: no permission to bind port 8090 but it binds to 80 and 8080

nginx port fedora permissions

83,555

This will most likely be related to SELinux

semanage port -l | grep http_port_t
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

As you can see from the output above with SELinux in enforcing mode http is only allowed to bind to the listed ports. The solution is to add the ports you want to bind on to the list

semanage port -a -t http_port_t  -p tcp 8090

will add port 8090 to the list.

83,555

Author by

frans

Updated on September 18, 2022

Comments

frans over 1 year
I'm struggling with some strange permission related behavior: when I configure nginx to listen to port 8080 everything works as expected, but when I use any other port I get something like
```
2014/01/10 09:20:02 [emerg] 30181#0: bind() to 0.0.0.0:8090 failed (13: Permission denied)
```
in /var/log/nginx/error.log

I have no clue where to look at so I don't really know what parts of the configuration might be interesting.

in nginx.conf nginx is configured to run as nginx:
```
user  nginx;
```
Also user nginx is in another group 'git'

in the site-config I tried to listen like this:
```
server {
    listen 8090; #does not work
    #listen 8080; #works
    #listen 9090; #does not work
    #listen 9090 default; #does not work neighter
    #listen 80; #works!
    server_name <some IP>;
    ...
}
```
I have only one more listener which serves port 443.

When I start some other service e.g. a SimpleHTTPServer on port 8090 etc. as non-root everything works fine:
```
$ python -m SimpleHTTPServer 8090
Serving HTTP on 0.0.0.0 port 8090 ...
localhost.localdomain - - [10/Jan/2014 09:34:19] "GET / HTTP/1.1" 200 -
```
What can the reasons be for denied permissions in general?

System is Fedora 18 ngnix is stock fedora 1.2.9
- frans over 10 years
  
  This is not very helpful. Fedora 18 is still supported and even if it wasn't the linux permission system hasn't changed totally since then.
- Michael Hampton over 10 years
  
  Yes...for another four days.
- Sumit Ramteke about 6 years
  
  Repeat Answer stackoverflow.com/a/24830777/2443988
frans over 10 years

that's been it, thanks! But why is there so few information? I would guess other people use Fedora with SELinux, too..
user9517 over 10 years

@frans: There is plenty of information, you're just not aware of it or how to access and use it. If you have SELiux in enforcing or permissive mode then all denials are logged to /var/log/audit.log. There are tools available that allow you to filter, understand and manage the information and SELinux policy - have a look at the fedora seliux pages and the manpages for ausearch, audit2why, audit2allow.
mwfearnley over 5 years

If you get semanage: command not found, you can install it with yum install policycoreutils-python.
MaxiWheat over 4 years

8080 is not listed for http_port_t but still it works, any idea why ?
S.K. Venkat over 3 years

@mwfearnley, plz mention the centos version you have tried to resolve the semanege: command not found issue in your comment to make sure users using correct package name. For centos 8 semanage provided by this command yum install -y policycoreutils-python-utils
mwfearnley over 3 years

@S.K.Venkat thanks. It would have been CentOS 7; 8 wasn’t out then. Maybe I should have just suggested yum provides semanage...