{"id":3184,"date":"2025-11-23T11:38:13","date_gmt":"2025-11-23T02:38:13","guid":{"rendered":"https:\/\/weblog.hirohiro716.com\/?p=3184"},"modified":"2025-11-23T11:38:13","modified_gmt":"2025-11-23T02:38:13","slug":"nginx%e3%83%aa%e3%83%90%e3%83%bc%e3%82%b9%e3%83%97%e3%83%ad%e3%82%ad%e3%82%b7%e3%81%a7node-js%e3%81%aelocalhost3000%e3%81%ab%e8%bb%a2%e9%80%81%e3%81%99%e3%82%8b%e9%9a%9b%e3%81%aeselinux%e3%83%9d","status":"publish","type":"post","link":"https:\/\/weblog.hirohiro716.com\/?p=3184","title":{"rendered":"Nginx\u30ea\u30d0\u30fc\u30b9\u30d7\u30ed\u30ad\u30b7\u3067Node.js\u306elocalhost:3000\u306b\u8ee2\u9001\u3059\u308b\u969b\u306eSELinux\u30dd\u30ea\u30b7\u30fc\u8a2d\u5b9a"},"content":{"rendered":"<pre class=\"brush: plain; title: \u74b0\u5883; notranslate\" title=\"\u74b0\u5883\">\r\nAlmaLinux release 9.6 (Sage Margay)\r\nNginx 1.20.1\r\n<\/pre>\n<p style=\"margin-top:2em;\">\n\u8a2d\u5b9a\u306f\u5408\u3063\u3066\u3044\u308b\u306f\u305a\u306a\u306e\u306b502\u304c\u51fa\u308b\u3002\u30ed\u30b0\u3092\u898b\u308b\u3068SELinux\u304c\u62d2\u5426\u3057\u3066\u305f\u3002\n<\/p>\n<pre class=\"brush: plain; title: \/var\/log\/audit\/audit.log; notranslate\" title=\"\/var\/log\/audit\/audit.log\">\r\ntype=SYSCALL msg=audit(1763858348.697:40247): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=561d98fc5f50 a2=1c a3=7ffd7b53fa8c items=0 ppid=14332 pid=14595 auid=4294967295 uid=995 gid=995 euid=995 suid=995 fsuid=995 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=&quot;nginx&quot; exe=&quot;\/usr\/sbin\/nginx&quot; subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID=&quot;unset&quot; UID=&quot;nginx&quot; GID=&quot;nginx&quot; EUID=&quot;nginx&quot; SUID=&quot;nginx&quot; FSUID=&quot;nginx&quot; EGID=&quot;nginx&quot; SGID=&quot;nginx&quot; FSGID=&quot;nginx&quot;\r\ntype=AVC msg=audit(1763858382.883:40265): avc:  denied  { name_connect } for  pid=14595 comm=&quot;nginx&quot; dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0\r\n<\/pre>\n<p style=\"margin-top:2em;\">\n\u62d2\u5426\u64cd\u4f5c\u30ed\u30b0\u3092\u5143\u306b\u30dd\u30ea\u30b7\u30fc\u8a31\u53ef\u30eb\u30fc\u30eb\u3092\u751f\u6210\u3067\u304d\u308b\u3089\u3057\u3044\u3002\u5fc5\u8981\u306a\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002\n<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# dnf install policycoreutils-python-utils\r\n<\/pre>\n<p style=\"margin-top:2em;\">\n\u62d2\u5426\u64cd\u4f5c\u30ed\u30b0\u3092\u5143\u306b\u751f\u6210\u3067\u304d\u308b\u30eb\u30fc\u30eb\u3092\u78ba\u8a8d\u3059\u308b\u3002\n<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# cat \/var\/log\/audit\/audit.log | grep nginx | audit2allow -m nginx\r\n-----------------------------------------\r\nmodule nginx 1.0;\r\n\r\nrequire {\r\n\ttype ntop_port_t;\r\n\ttype httpd_t;\r\n\tclass tcp_socket name_connect;\r\n}\r\n\r\n#============= httpd_t ==============\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_t ntop_port_t:tcp_socket name_connect;\r\n<\/pre>\n<p style=\"margin-top:2em;\">\n\u30eb\u30fc\u30eb\u304c\u8868\u793a\u3055\u308c\u308c\u3070\u4f5c\u6210\u53ef\u80fd\u306a\u306e\u3067\u3001\u4e0b\u8a18\u30b3\u30de\u30f3\u30c9\u3067TypeEnforcement\u30d5\u30a1\u30a4\u30eb(.te)\u3068\u30dd\u30ea\u30b7\u30fc\u30d1\u30c3\u30b1\u30fc\u30b8\u30d5\u30a1\u30a4\u30eb(.pp)\u3092\u751f\u6210\u3059\u308b\u3002\n<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# cat \/var\/log\/audit\/audit.log | grep nginx | audit2allow -M nginx\r\n<\/pre>\n<p style=\"margin-top:2em;\">\n\u4f5c\u6210\u3055\u308c\u305f\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u5b8c\u4e86\u5f8c\u306f\u4e0d\u8981\u306a\u306e\u3067\u524a\u9664\u3059\u308b\u3002\n<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# semodule -i nginx.pp\r\n# rm nginx.pp nginx.te\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>AlmaLinux release 9.6 (Sage Margay) Nginx 1.20.1 \u8a2d\u5b9a\u306f\u5408\u3063\u3066\u3044\u308b\u306f\u305a\u306a\u306e\u306b502\u304c\u51fa\u308b\u3002\u30ed\u30b0\u3092\u898b\u308b\u3068SELinux\u304c\u62d2\u5426\u3057\u3066\u305f\u3002 type=SYSCALL msg=aud [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31],"tags":[],"class_list":["post-3184","post","type-post","status-publish","format-standard","hentry","category-almalinux"],"views":225,"_links":{"self":[{"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/posts\/3184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3184"}],"version-history":[{"count":3,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/posts\/3184\/revisions"}],"predecessor-version":[{"id":3187,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/posts\/3184\/revisions\/3187"}],"wp:attachment":[{"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}