Bug 1573942

Summary: nginx fails on start
Product: [Fedora] Fedora Reporter: Luboš Uhliarik <luhliari>
Component: nginxAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: adedominic, bperkins, carl, davidr, dylan.m.taylor92, esm, jkaluza, jorton, luhliari, mathieu-acct, mmalik, optak, rhel8-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nginx-1.12.1-8.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1558420 Environment:
Last Closed: 2018-06-18 16:16:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1558420    
Bug Blocks:    

Description Luboš Uhliarik 2018-05-02 14:48:19 UTC 
Description of problem:
Permissions problems starting nginx (maybe SELinux?).

Version-Release number of selected component (if applicable):
nginx in F28

How reproducible:
always

Steps to Reproduce:
1. dnf install nginx
2. systemctl start nginx

Actual results:
fails

journalctl -r -u nginx

Mar 20 04:13:06 qeos-5.lab.eng.rdu2.redhat.com systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Mar 20 04:13:06 qeos-5.lab.eng.rdu2.redhat.com systemd[1]: nginx.service: Failed with result 'exit-code'.
Mar 20 04:13:06 qeos-5.lab.eng.rdu2.redhat.com systemd[1]: nginx.service: Control process exited, code=exited status=1
Mar 20 04:13:06 qeos-5.lab.eng.rdu2.redhat.com nginx[1627]: nginx: configuration file /etc/nginx/nginx.conf test failed
Mar 20 04:13:06 qeos-5.lab.eng.rdu2.redhat.com nginx[1627]: 2018/03/20 04:13:06 [emerg] 1627#0: mkdir() "/var/lib/nginx/tmp/client_body" failed (13: Permis
Mar 20 04:13:06 qeos-5.lab.eng.rdu2.redhat.com nginx[1627]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Mar 20 04:13:06 qeos-5.lab.eng.rdu2.redhat.com nginx[1627]: nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Per
Mar 20 04:13:06 qeos-5.lab.eng.rdu2.redhat.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
Mar 20 04:13:03 qeos-5.lab.eng.rdu2.redhat.com systemd[1]: nginx.service: Unit cannot be reloaded because it is inactive.



Expected results:
works

Additional info:

ausearch says:

time->Tue Mar 20 04:13:06 2018
type=AVC msg=audit(1521533586.479:317): avc:  denied  { dac_override } for  pid=1627 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
----
time->Tue Mar 20 04:13:06 2018
type=AVC msg=audit(1521533586.519:318): avc:  denied  { dac_override } for  pid=1627 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
Comment 1 Luboš Uhliarik 2018-05-02 15:09:20 UTC 
*** Bug 1567768 has been marked as a duplicate of this bug. ***
Comment 2 Luboš Uhliarik 2018-05-03 13:31:16 UTC 
*** Bug 1574519 has been marked as a duplicate of this bug. ***
Comment 3 Carl Bennett 2018-05-07 20:18:52 UTC 
Nginx will not start while SELinux is in enforcing mode on a new Fedora 28 installation.

For those looking for a quick band-aid to the issue, temporarily set SELinux to permissive mode, start Nginx, then set SELinux back to enforcing mode. This will let Nginx start and let's it open write access to its log files. I'm unsure what happens when the logs are rotated with SELinux enforcing, ymmv.

Glad to see this issue is now opened to the public. Hoping for a fix on this by the end of the week!
Comment 4 Joe Orton 2018-05-08 07:45:37 UTC 
Fix in -testing for this:

https://bodhi.fedoraproject.org/updates/FEDORA-2018-afe81d2db1
Comment 5 Fedora Update System 2018-05-14 13:45:38 UTC 
nginx-1.12.1-8.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06
Comment 6 Fedora Update System 2018-05-14 20:39:58 UTC 
nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06
Comment 7 Fedora Update System 2018-06-18 16:16:51 UTC 
nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.