Bug 1563635

Summary: Selinux blocks a first run of nginx
Product: [Fedora] Fedora Reporter: James Hogarth <james.hogarth>
Component: nginxAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: adedominic, affix, anton4linux, athmanem, bperkins, esm, jeremy, jkaluza, jorton, luhliari, pavel.lisy, peter.borsa, santiago, tadej.j, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nginx-1.12.1-8.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-18 16:17:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Hogarth 2018-04-04 11:22:30 UTC 
Description of problem:
Fresh install of F28 with nginx fails to start with systemctl start nginx



Version-Release number of selected component (if applicable):
nginx-1.12.1-5.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Ensure selinux is enforcing
2. Install nginx
3. systemctl nginx start
4. ausearch -m AVC
5. setenforce 0
6. systemctl nginx start

Actual results:
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2018-04-04 11:09:52 UTC; 5s ago
  Process: 10268 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
  Process: 10267 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)

Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: Starting The nginx HTTP and reverse proxy serv>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: nginx: [alert] could not open error log file>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: 2018/04/04 11:09:52 [warn] 10268#0: could no>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: nginx: the configuration file /etc/nginx/ngi>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: 2018/04/04 11:09:52 [emerg] 10268#0: mkdir()>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: nginx: configuration file /etc/nginx/nginx.c>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: nginx.service: Control process exited, code=ex>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: nginx.service: Failed with result 'exit-code'.
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: Failed to start The nginx HTTP and reverse pro>


Expected results:
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-04-04 11:10:04 UTC; 2s ago
  Process: 10278 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 10277 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 10276 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 10279 (nginx)
    Tasks: 2 (limit: 4705)
   Memory: 2.2M
   CGroup: /system.slice/nginx.service
           ├─10279 nginx: master process /usr/sbin/nginx
           └─10280 nginx: worker process

Apr 04 11:10:04 f28-oc-nginx-mysql.local.test systemd[1]: Starting The nginx HTTP and reverse proxy serv>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10277]: nginx: [warn] could not build optimal types_>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10277]: nginx: the configuration file /etc/nginx/ngi>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10277]: nginx: configuration file /etc/nginx/nginx.c>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10278]: nginx: [warn] could not build optimal types_>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test systemd[1]: nginx.service: Failed to parse PID from file />
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test systemd[1]: Started The nginx HTTP and reverse proxy serve>


Additional info:
type=AVC msg=audit(1522839197.971:737): avc:  denied  { dac_override } for  pid=9700 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522839197.986:738): avc:  denied  { dac_override } for  pid=9700 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840366.011:787): avc:  denied  { dac_override } for  pid=9747 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840365.996:786): avc:  denied  { dac_override } for  pid=9747 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840667.920:794): avc:  denied  { dac_override } for  pid=9785 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840667.935:795): avc:  denied  { dac_override } for  pid=9785 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840674.092:801): avc:  denied  { dac_override } for  pid=9793 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840674.107:802): avc:  denied  { dac_override } for  pid=9793 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840790.749:807): avc:  denied  { dac_override } for  pid=9804 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1

Interestingly once it is run once under permissive it appears to start and stop fine regardless of selinux status after that.
Comment 1 Fedora Update System 2018-05-14 13:45:54 UTC 
nginx-1.12.1-8.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06
Comment 2 Fedora Update System 2018-05-14 20:40:10 UTC 
nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06
Comment 3 Fedora Update System 2018-06-18 16:17:03 UTC 
nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.