CentOS 6.6, SELinux breaks Nginx 1.6.0
richardm
nginx-forum at nginx.us
Sat Nov 1 16:47:32 UTC 2014
I've verified that the update to Centos 6.6 does indeed relabel nginx
related directories/files during yum update. And a restart of the nginx
process will now have the label "httpd_t". Someone in RH decided to make the
nginx webserver follow the same SELinux policy rules as Apache.
OK, that works fine so long as all the needed directories/files are in the
expected places. It also opens up some standard approaches for common
options. For example,
I place my web site files under /home/webs/. I can make that work by setting
a boolean (the -P makes this persist across reboots)
# setsebool -P httpd_enable_homedirs on
I also wanted to use a non-standard port 8088 for PHPMyAdmin. I achieve that
with
# semanage port -a -t http_port_t -p tcp 8088
Other things:
I want to place my log files in a new location, not /var/log/nginx. I can
use the semanage and restorecon lines shown above by bdwyertech, and that
works fine for nginx. But logrotate and logwatch fail. So now I need to
create new policies for them using the same audit2allow approach that you
already mentioned but with different policy names.
I use a unix socket to connect with php-fpm. That has to be in a standard
directory too. For now I put it in /var/run/.
Finally, PHPMyAdmin uses PHP sessions and my session directory is in a
non-standard location. Again I had to use semanage and restorecon to make
the session directory usable.
Whew! It all works now.
In future, perhaps I should let all directories/files stay in their default
locations.
Richard
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254456,254511#msg-254511
More information about the nginx
mailing list