CentOS 6.6, SELinux breaks Nginx 1.6.0
Dewangga
dewanggaba at xtremenitro.org
Thu Oct 30 17:14:34 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Something wrong on your policy?
$ cat /etc/issue
CentOS release 6.6 (Final)
Kernel \r on an \m
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
$ ls -lZ /etc/nginx/conf.d
- -rw-r--r--. root root system_u:object_r:etc_t:s0 default.conf
- -rw-r--r--. root root system_u:object_r:etc_t:s0 default.conf-orig
- -rw-r--r--. root root system_u:object_r:etc_t:s0 default.conf.rpmnew
- -rw-r--r--. root root system_u:object_r:etc_t:s0 example_ssl.conf
- -rw-r--r--. root root system_u:object_r:etc_t:s0
example_ssl.conf.orig
- -rw-r--r--. root root system_u:object_r:etc_t:s0 pagespeed.conf
- -rw-r--r--. root root system_u:object_r:etc_t:s0
pagespeed.conf.rpmnew
- -rw-r--r--. root root system_u:object_r:etc_t:s0 proxy.conf
- -rw-r--r--. root root system_u:object_r:etc_t:s0 ssl.conf
IMHO, SELinux won't change your saved policy (unless you don't save it).
On 10/30/2014 21:48, mevans336 wrote:
> We have been successfully running Nginx installed from the official
> Nginx CentOS repositories for ages. Last night I upgraded two of my
> Nginx 1.6.0 servers from CentOS 6.5 to CentOS 6.6 and SELinux
> immediately broke just about everything with Nginx. At first it
> wouldn't let it read the SSL certs, then it wouldn't allow it to
> read the proxy upstream server. The only way I can get it working
> is to disable SELinux via setenforce 0, which is a no-no because
> these servers are internet facing.
>
> I have a lengthy post in the CentOS forums which you can see here:
> https://www.centos.org/forums/viewtopic.php?f=13&t=49280
>
> I will try and summarize some of the errors:
>
> ---- [root at host ssl]# service nginx restart nginx: [emerg]
> BIO_new_file("/srv/ssl/cert-rekey/cert-rekey.crt") failed (SSL:
> error:0200100D:system library:fopen:Permission
> denied:fopen('/srv/ssl/cert-rekey/cert-rekey.crt','r')
> error:2006D002:BIO routines:BIO_new_file:system lib) ----
>
> I was able to work around this by copying the files into
> /etc/nginx/ssl. Attempting to use a restorecon on /srv/ssl didn't
> resolve the issue. After making the change above, Nginx will
> successfully start, but then receives the following error when
> trying to proxy to my upstream server:
>
> ---- 2014/10/29 20:35:27 [crit] 4407#0: *1 connect() to
> 10.0.3.15:8080 failed (13: Permission denied) while connecting to
> upstream, client: 10.0.6.102, server: dev.upstream, request: "GET
> /home HTTP/1.1", upstream: "http://10.0.3.15:8080/home", host:
> "dev.upstream.com" ----
>
> In the latter case, disabling SELinux via setenforce 0 immediately
> resolves the issue, without restarting the Nginx daemon.
>
> Another user in my CentOS thread is reporting the same behavior and
> I am seeing it on two independent Nginx servers as well. I
> attempted to uninstall and re-install the Nginx package via the
> Nginx yum repository (hoping it would restore the SELinux context)
> but that produced the same result.
>
> Here is the output of ls -lrtZ /etc/nginx:
>
> -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 win-utf
> -rw-r--r--. root root system_u:object_r:httpd_config_t:s0
> uwsgi_params -rw-r--r--. root root
> system_u:object_r:httpd_config_t:s0 scgi_params -rw-r--r--. root
> root system_u:object_r:httpd_config_t:s0 mime.types -rw-r--r--.
> root root system_u:object_r:httpd_config_t:s0 koi-win -rw-r--r--.
> root root system_u:object_r:httpd_config_t:s0 koi-utf -rw-r--r--.
> root root system_u:object_r:httpd_config_t:s0 fastcgi_params
> -rw-r--r--. root root system_u:object_r:httpd_config_t:s0
> nginx.conf.rpmsave drw-------. root root
> unconfined_u:object_r:httpd_config_t:s0 ssl drwxr-xr-x. root root
> system_u:object_r:httpd_config_t:s0 conf.d -rw-r--r--. root root
> unconfined_u:object_r:httpd_config_t:s0 nginx.conf
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,254456,254456#msg-254456
>
> _______________________________________________ nginx mailing list
> nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUUnH5AAoJEF1+odKB6YIxtHIH/2QBhK9Ipm99z+i7sC+BsKai
aB4cBrKnxLI5QZM12Ll5qyelItrGIonQV6UvTvUu7b9dPSA8xCaKprCzxs+X2LhZ
tCsReItC4sHHnSlpfBA61q0EZyWrFGNjpvrkzV2SSdIeah/Ul21o1FRGkgfwGh93
6sI7E3li1qviF0gqRhODYSKmQatOiKEoupoftIkFumfS8edh7Xz+4QR+j2kPJ26c
oFvpjxxlR9HqOx9CjLl75IgtWfXhQBV93ifVJgwOPUV1+IJuz3XH6sLWkq4BydyD
3fXBSG91Lsm7Ucnr9u9YfAeeKWFlhb2S5uQd2fAMmODWnhwAoMFqFZJRKl3h4TE=
=Old8
-----END PGP SIGNATURE-----
More information about the nginx
mailing list