Skip to content

Refocus nginx-broken lab on SELinux denial for custom HTTP port 8080#35

Closed
Copilot wants to merge 3 commits into
mainfrom
copilot/lab-idea-selinux-nginx-port
Closed

Refocus nginx-broken lab on SELinux denial for custom HTTP port 8080#35
Copilot wants to merge 3 commits into
mainfrom
copilot/lab-idea-selinux-nginx-port

Conversation

Copilot AI commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

This updates the existing nginx lab to match the SELinux custom-port failure mode: nginx is configured on 8080, but SELinux policy does not permit HTTP service on that port. The lab now teaches diagnosis via AVC/audit evidence and remediation via http_port_t mapping.

  • Scenario + metadata alignment

    • Renamed lab to SELinux Denies Nginx on Custom Port
    • Switched exposed service from 80 to 8080
    • Updated objectives/tags to SELinux-focused troubleshooting and port labeling

  • Break condition in provisioning

    • cloud-init.yaml now:
      • configures nginx to listen on 8080
      • installs SELinux/audit tooling (semanage, audit utilities)
      • removes http_port_t mapping for tcp/8080 to create the denial

  • Resolution path + verification contract

    • question.md and solution.md now direct users to:
      • inspect AVC denials
      • inspect SELinux port contexts
      • add/modify http_port_t for tcp/8080
    • verify.sh now asserts:
      • nginx active
      • listener on 8080
      • SELinux http_port_t includes 8080
      • HTTP response on 127.0.0.1:8080

  • CI-required lab fix script

    • Added solution.sh for automated remediation in CI:
      • enforce nginx listen on 8080
      • apply http_port_t mapping for tcp/8080
      • restart nginx
# Core SELinux remediation taught/enforced by the lab
semanage port -a -t http_port_t -p tcp 8080 || \
semanage port -m -t http_port_t -p tcp 8080

Type of change

  • Bug fix
  • New feature
  • New Lab

Lab Requirements (If submitting a new lab)

If you are submitting a new BrokenOps lab, please verify:

  • The lab.yaml is fully populated.
  • The cloud-init.yaml correctly breaks the environment.
  • The verify.sh script correctly asserts if the environment is fixed.
  • MANDATORY: A working solution.sh script is provided to automatically fix the environment. (This is required for our CI verification pipeline).

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas

Copilot AI linked an issue Jun 5, 2026 that may be closed by this pull request
[LAB IDEA] SELinux Denies Nginx on Custom Port #34
Closed
Copilot AI changed the title [WIP] Fix SELinux policy to allow Nginx on custom port 8080 Refocus nginx-broken lab on SELinux denial for custom HTTP port 8080 Jun 5, 2026
Copilot finished work on behalf of HimanM June 5, 2026 14:22
Copilot AI requested a review from HimanM June 5, 2026 14:22
@HimanM HimanM marked this pull request as ready for review June 5, 2026 14:28
HimanM

This comment was marked as outdated.

Sign in to view

HimanM
HimanM requested changes Jun 5, 2026
View reviewed changes

@HimanM HimanM left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the CI Verify Labs must pass

Copilot AI requested a review from HimanM June 5, 2026 14:31
@HimanM HimanM closed this Jun 5, 2026
@HimanM HimanM deleted the copilot/lab-idea-selinux-nginx-port branch June 5, 2026 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HimanM HimanM Awaiting requested review from HimanM

Assignees

@HimanM HimanM

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[LAB IDEA] SELinux Denies Nginx on Custom Port

2 participants

@HimanM