CentOS 6.6, SELinux breaks Nginx 1.6.0

richardm nginx-forum at nginx.us
Sat Nov 1 16:47:32 UTC 2014

I've verified that the update to Centos 6.6 does indeed relabel nginx
related directories/files during yum update. And a restart of the nginx
process will now have the label "httpd_t". Someone in RH decided to make the
nginx webserver follow the same SELinux policy rules as Apache. 

OK, that works fine so long as all the needed directories/files are in the
expected places. It also opens up some standard approaches for common
options. For example,

I place my web site files under /home/webs/. I can make that work by setting
a boolean (the -P makes this persist across reboots)
       # setsebool -P httpd_enable_homedirs on

I also wanted to use a non-standard port 8088 for PHPMyAdmin. I achieve that
       # semanage port -a -t http_port_t -p tcp 8088

Other things:
I want to place my log files in a new location, not /var/log/nginx. I can
use the semanage and restorecon lines shown above by bdwyertech, and that
works fine for nginx. But logrotate and logwatch fail. So now I need to
create new policies for them using the same audit2allow approach that you
already mentioned but with different policy names.

I use a unix socket to connect with php-fpm. That has to be in a standard
directory too. For now I put it in /var/run/. 

Finally, PHPMyAdmin uses PHP sessions and my session directory is in a
non-standard location. Again I had to use semanage and restorecon to make
the session directory usable. 

Whew! It all works now. 
In future, perhaps I should let all directories/files stay in their default


Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254456,254511#msg-254511

More information about the nginx mailing list