CentOS 6.6, SELinux breaks Nginx 1.6.0

mevans336 nginx-forum at nginx.us
Thu Oct 30 14:48:32 UTC 2014

We have been successfully running Nginx installed from the official Nginx
CentOS repositories for ages. Last night I upgraded two of my Nginx 1.6.0
servers from CentOS 6.5 to CentOS 6.6 and SELinux immediately broke just
about everything with Nginx. At first it wouldn't let it read the SSL certs,
then it wouldn't allow it to read the proxy upstream server. The only way I
can get it working is to disable SELinux via setenforce 0, which is a no-no
because these servers are internet facing.

I have a lengthy post in the CentOS forums which you can see here:

I will try and summarize some of the errors:

[root at host ssl]# service nginx restart
nginx: [emerg] BIO_new_file("/srv/ssl/cert-rekey/cert-rekey.crt") failed
(SSL: error:0200100D:system library:fopen:Permission
denied:fopen('/srv/ssl/cert-rekey/cert-rekey.crt','r') error:2006D002:BIO
routines:BIO_new_file:system lib)

I was able to work around this by copying the files into /etc/nginx/ssl.
Attempting to use a restorecon on /srv/ssl didn't resolve the issue. After
making the change above, Nginx will successfully start, but then receives
the following error when trying to proxy to my upstream server:

2014/10/29 20:35:27 [crit] 4407#0: *1 connect() to failed
(13: Permission denied) while connecting to upstream, client:,
server: dev.upstream, request: "GET /home HTTP/1.1", upstream:
"", host: "dev.upstream.com"

In the latter case, disabling SELinux via setenforce 0 immediately resolves
the issue, without restarting the Nginx daemon.

Another user in my CentOS thread is reporting the same behavior and I am
seeing it on two independent Nginx servers as well. I attempted to uninstall
and re-install the Nginx package via the Nginx yum repository (hoping it
would restore the SELinux context) but that produced the same result.

Here is the output of ls -lrtZ /etc/nginx:

-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 win-utf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 uwsgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 scgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 mime.types
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 koi-win
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 koi-utf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 fastcgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0
drw-------. root root unconfined_u:object_r:httpd_config_t:s0 ssl
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
-rw-r--r--. root root unconfined_u:object_r:httpd_config_t:s0 nginx.conf

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254456,254456#msg-254456

More information about the nginx mailing list