SELinux is very annoying security system on Linux like Fedora 44 or Red Hat because it block many good things. When you try run Nginx web server on different port like 8888, SELinux will block it and say permission denied. This block is call AVC denial. Many people get angry and just turn off SELinux, but that is very bad for security. Instead of turn it off, you can use two programs name setroubleshootd and sealert for find why SELinux is block you and how to fix it. These tools is very helpful because they read the hard logs and tell you the exact command you need to type for make it work.
The system has a background program call setroubleshootd that always watch the audit log. Every time SELinux block something, this program runs a lot of small helper programs call plugins. Each plugin looks at the error and tries to guess how to fix it. The plugin then gives a confidence score to show how sure it is about the fix. For example, if you try to use port 8888 for Nginx, a plugin name bind_ports will look at it and say it is very sure you need to allow this port. It gives a score like 92.2 confidence, which is very high. Another plugin name catchall is like a lazy helper that do not know the real problem, so it just suggests to allow everything with a tool called audit2allow, which has low confidence.
If you want to troubleshoot this on your computer, you must follow these steps. I write them down so you can fix your server easily.
Step 1: Install the troubleshoot tools
Sometimes your Linux does not have these tools installed by default. You need to install them first. If you use Fedora or CentOS or Red Hat, you must open your terminal and type this command.
sudo dnf install setroubleshoot-server setroubleshoot-plugins
You must type your password and wait for the download to finish. If it is already installed, the terminal will tell you there is nothing to do. That is okay, you can go to the next step.
Step 2: Look at the SELinux logs with sealert
Now you must ask sealert to read the audit log file and find the errors. The audit log file is located in a folder called /var/log/audit/audit.log. This file has too much text and is very hard to read for normal human. But sealert can make it simple. You should run this command to see the first 20 lines of the analysis.
sudo sealert -a /var/log/audit/audit.log | head -20
When you run this, the tool will analyze all the errors. In the output, you will see something like “SELinux is preventing nginx from binding to port 8888”. Below that, it will show the plugins that tried to solve the problem.
Step 3: Read the plugin suggestions and confidence score
When you look at the output from the command in Step 2, you must search for the confidence score. It looks like this:
Plugin bind_ports (92.2 confidence) suggests:semanage port -a -t http_port_t -p tcp 8888
This is the best suggestion because the score is 92.2 which is very high. The bind_ports plugin knows that Nginx is a web server and web servers use a type called http_port_t. It tells you that port 8888 is not allowed for this type, so you must add it.
But if you look down, you will see another suggestion:
Plugin catchall (1.4 confidence) suggests:audit2allow -a
This score is 1.4 which is very bad and low. You must not use this suggestion because audit2allow will make a custom policy that allows everything, and that can make your server not safe. Only use the highest score suggestion.
Step 4: Run the fix command
Now you must copy the command that the high confidence plugin told you. For our port 8888 problem, the command is this:
sudo semanage port -a -t http_port_t -p tcp 8888
In this command, the -a means you want to add a new rule. The -t http_port_t means you want to label the port as a web server port. The -p tcp means the protocol is TCP, and 8888 is the port number you want to use. After you run this command, it might take a few seconds because SELinux is updating its database. Do not close the terminal, just wait.
Step 5: Verify the port is added
After the command is finish, you must check if SELinux now knows about your new port. You can list all the ports that are allowed for web servers by running this command:
semanage port -l | grep http_port_t
You will see a list of ports in the output. It will show something like http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 8888. If you see 8888 in the list, that means you did it correctly and Nginx can now start on port 8888 without any block from SELinux.
Step 6: Use ausearch for fast automation
The sealert command is very good when you are sitting at the computer and looking at the screen. But if you are writing a script or if you want to automate things, sealert is too slow because the background daemon has a lag. If you want a faster way to search the log directly without the lag, you can use ausearch.
You can run this command to see the raw AVC denials quickly:
sudo ausearch -m AVC -ts recent
The -m AVC means you only want to see SELinux denials, and -ts recent means you only want to see things that happened just now. If you want the output to be easy to read with real names instead of numbers, you can add -i and use -if to specify the file:
sudo ausearch -i -if /var/log/audit/audit.log -m AVC
This command is much faster than sealert because it does not run all the plugins. It just prints the raw error from the log file. It is very useful for sysadmins who know how to read raw logs and do not need the advice from the plugins.
Sometimes when you run these commands, you might get an error saying semanage command not found. If this happens, it means you do not have the policycoreutils-python package. You can install it by running sudo dnf install policycoreutils-python-utils and then try the commands again.
I think using these tools is much better than disabling SELinux. Many people run setenforce 0 when they have a problem, but that is dangerous because it turns off all protection. If you spend just two minutes running sealert, you can find the exact command to fix the problem properly and your server stays safe. It is not very hard once you learn how to read the confidence scores.
To conclude, when SELinux block your programs, you do not need to panic or turn off security. You must run sealert -a on your audit log to see what is wrong. Look for the plugin with the highest confidence score, which is usually bind_ports for port errors, and run the command it suggests. If you need to make scripts or want fast results, use ausearch -i to bypass the slow daemon processes. This keeps your system secure and your apps working fine.