CentOS 6.6, SELinux breaks Nginx 1.6.0

Dewangga dewanggaba at xtremenitro.org
Thu Oct 30 17:14:34 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Something wrong on your policy?

$ cat /etc/issue
CentOS release 6.6 (Final)
Kernel \r on an \m

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

$ ls -lZ /etc/nginx/conf.d
- -rw-r--r--. root root system_u:object_r:etc_t:s0       default.conf
- -rw-r--r--. root root system_u:object_r:etc_t:s0       default.conf-orig
- -rw-r--r--. root root system_u:object_r:etc_t:s0       default.conf.rpmnew
- -rw-r--r--. root root system_u:object_r:etc_t:s0       example_ssl.conf
- -rw-r--r--. root root system_u:object_r:etc_t:s0
example_ssl.conf.orig
- -rw-r--r--. root root system_u:object_r:etc_t:s0       pagespeed.conf
- -rw-r--r--. root root system_u:object_r:etc_t:s0
pagespeed.conf.rpmnew
- -rw-r--r--. root root system_u:object_r:etc_t:s0       proxy.conf
- -rw-r--r--. root root system_u:object_r:etc_t:s0   ssl.conf

IMHO, SELinux won't change your saved policy (unless you don't save it).

On 10/30/2014 21:48, mevans336 wrote:
> We have been successfully running Nginx installed from the official
> Nginx CentOS repositories for ages. Last night I upgraded two of my
> Nginx 1.6.0 servers from CentOS 6.5 to CentOS 6.6 and SELinux
> immediately broke just about everything with Nginx. At first it
> wouldn't let it read the SSL certs, then it wouldn't allow it to
> read the proxy upstream server. The only way I can get it working
> is to disable SELinux via setenforce 0, which is a no-no because
> these servers are internet facing.
> 
> I have a lengthy post in the CentOS forums which you can see here: 
> https://www.centos.org/forums/viewtopic.php?f=13&t=49280
> 
> I will try and summarize some of the errors:
> 
> ---- [root at host ssl]# service nginx restart nginx: [emerg]
> BIO_new_file("/srv/ssl/cert-rekey/cert-rekey.crt") failed (SSL:
> error:0200100D:system library:fopen:Permission 
> denied:fopen('/srv/ssl/cert-rekey/cert-rekey.crt','r')
> error:2006D002:BIO routines:BIO_new_file:system lib) ----
> 
> I was able to work around this by copying the files into
> /etc/nginx/ssl. Attempting to use a restorecon on /srv/ssl didn't
> resolve the issue. After making the change above, Nginx will
> successfully start, but then receives the following error when
> trying to proxy to my upstream server:
> 
> ---- 2014/10/29 20:35:27 [crit] 4407#0: *1 connect() to
> 10.0.3.15:8080 failed (13: Permission denied) while connecting to
> upstream, client: 10.0.6.102, server: dev.upstream, request: "GET
> /home HTTP/1.1", upstream: "http://10.0.3.15:8080/home", host:
> "dev.upstream.com" ----
> 
> In the latter case, disabling SELinux via setenforce 0 immediately
> resolves the issue, without restarting the Nginx daemon.
> 
> Another user in my CentOS thread is reporting the same behavior and
> I am seeing it on two independent Nginx servers as well. I
> attempted to uninstall and re-install the Nginx package via the
> Nginx yum repository (hoping it would restore the SELinux context)
> but that produced the same result.
> 
> Here is the output of ls -lrtZ /etc/nginx:
> 
> -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 win-utf 
> -rw-r--r--. root root system_u:object_r:httpd_config_t:s0
> uwsgi_params -rw-r--r--. root root
> system_u:object_r:httpd_config_t:s0 scgi_params -rw-r--r--. root
> root system_u:object_r:httpd_config_t:s0 mime.types -rw-r--r--.
> root root system_u:object_r:httpd_config_t:s0 koi-win -rw-r--r--.
> root root system_u:object_r:httpd_config_t:s0 koi-utf -rw-r--r--.
> root root system_u:object_r:httpd_config_t:s0 fastcgi_params 
> -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 
> nginx.conf.rpmsave drw-------. root root
> unconfined_u:object_r:httpd_config_t:s0 ssl drwxr-xr-x. root root
> system_u:object_r:httpd_config_t:s0 conf.d -rw-r--r--. root root
> unconfined_u:object_r:httpd_config_t:s0 nginx.conf
> 
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,254456,254456#msg-254456
> 
> _______________________________________________ nginx mailing list 
> nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUUnH5AAoJEF1+odKB6YIxtHIH/2QBhK9Ipm99z+i7sC+BsKai
aB4cBrKnxLI5QZM12Ll5qyelItrGIonQV6UvTvUu7b9dPSA8xCaKprCzxs+X2LhZ
tCsReItC4sHHnSlpfBA61q0EZyWrFGNjpvrkzV2SSdIeah/Ul21o1FRGkgfwGh93
6sI7E3li1qviF0gqRhODYSKmQatOiKEoupoftIkFumfS8edh7Xz+4QR+j2kPJ26c
oFvpjxxlR9HqOx9CjLl75IgtWfXhQBV93ifVJgwOPUV1+IJuz3XH6sLWkq4BydyD
3fXBSG91Lsm7Ucnr9u9YfAeeKWFlhb2S5uQd2fAMmODWnhwAoMFqFZJRKl3h4TE=
=Old8
-----END PGP SIGNATURE-----

More information about the nginx mailing list