DescriptionAnthony DeDominic
2018-05-03 16:33:58 UTC
Description of problem:
the `nginx -t` config syntax check command attempts to open the file /var/log/nginx/error.log rw as root in the default systemd nginx.service.
however, this file can be owned by nginx:nginx with permissions of 064x.
the current policy prevents nginx from having dac_override which results in nginx -t failing and thus preventing the nginx service from starting.
Version-Release number of selected component (if applicable):
nginx: 1.12.1
selinux-policy: 3.14.1
How reproducible:
always, after doing the following steps.
Steps to Reproduce:
1. ensure /var/log/nginx is readable, writeable and executable by root (acl or group permissions, either work.)
2. rm /var/log/nginx/error.log
3. systemctl start nginx.service
5. either force a logrotate on error.log or more easily... rm /var/log/nginx/error.log
6. systemctl kill --signal=USR1 nginx.service
7. check that /var/log/nginx/error.log is owned by nginx with 064x permissions.
8. systemctl restart nginx.service
Actual results:
last step will result in a failure with text ->
systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
error text in journald ->
May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: 2018/05/03 12:27:55 [emerg] 11158#0: open() "/var/log/nginx/error.log" failed (13: Permission denied)
May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: nginx: configuration file /etc/nginx/nginx.conf test failed
May 03 12:27:55 adlinux.sim.gilbarco.com systemd[1]: nginx.service: Control process exited, code=exited status=1
May 03 12:27:55 adlinux.sim.gilbarco.com systemd[1]: nginx.service: Failed with result 'exit-code'.
May 03 12:27:55 adlinux.sim.gilbarco.com systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
The selinux denial...
ausearch -m avc --start recent ->
type=AVC msg=audit(1525364875.037:698): avc: denied { dac_override } for pid=11158 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
Expected results:
nginx service restarts without issue.
Additional info:
the easy solution would be to grant dac_override to nginx, but that seems incredibly overkill.
Comment 1Mathieu Chouquet-Stringer
2018-05-07 23:55:43 UTC
Looks like a duplicate of #1573942
Comment 2Fedora Update System
2018-05-14 13:45:44 UTC
Description of problem: the `nginx -t` config syntax check command attempts to open the file /var/log/nginx/error.log rw as root in the default systemd nginx.service. however, this file can be owned by nginx:nginx with permissions of 064x. the current policy prevents nginx from having dac_override which results in nginx -t failing and thus preventing the nginx service from starting. Version-Release number of selected component (if applicable): nginx: 1.12.1 selinux-policy: 3.14.1 How reproducible: always, after doing the following steps. Steps to Reproduce: 1. ensure /var/log/nginx is readable, writeable and executable by root (acl or group permissions, either work.) 2. rm /var/log/nginx/error.log 3. systemctl start nginx.service 5. either force a logrotate on error.log or more easily... rm /var/log/nginx/error.log 6. systemctl kill --signal=USR1 nginx.service 7. check that /var/log/nginx/error.log is owned by nginx with 064x permissions. 8. systemctl restart nginx.service Actual results: last step will result in a failure with text -> systemctl restart nginx Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details. error text in journald -> May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied) May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: 2018/05/03 12:27:55 [emerg] 11158#0: open() "/var/log/nginx/error.log" failed (13: Permission denied) May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: nginx: configuration file /etc/nginx/nginx.conf test failed May 03 12:27:55 adlinux.sim.gilbarco.com systemd[1]: nginx.service: Control process exited, code=exited status=1 May 03 12:27:55 adlinux.sim.gilbarco.com systemd[1]: nginx.service: Failed with result 'exit-code'. May 03 12:27:55 adlinux.sim.gilbarco.com systemd[1]: Failed to start The nginx HTTP and reverse proxy server. The selinux denial... ausearch -m avc --start recent -> type=AVC msg=audit(1525364875.037:698): avc: denied { dac_override } for pid=11158 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 Expected results: nginx service restarts without issue. Additional info: the easy solution would be to grant dac_override to nginx, but that seems incredibly overkill.