Hide Forgot
Description of problem: with SELinux enabled in targeted mode, nginx fails to start because it cannot write to /run/nginx.pid. Version-Release number of selected component (if applicable): Fedora 23 beta (updated as of 10/02) nginx 1.8.0-13.fc23 How reproducible: always Steps to Reproduce: 1. enable selinux 2. install nginx 3. systemctl start nginx Actual results: Oct 03 13:02:27 maa.s.juvonen.org nginx[4564]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok Oct 03 13:02:27 maa.s.juvonen.org nginx[4564]: nginx: [emerg] open() "/run/nginx.pid" failed (13: Permission denied) Oct 03 13:02:27 maa.s.juvonen.org audit[4564]: AVC avc: denied { read write } for pid=4564 comm="nginx" name="nginx.pid" dev="tmpfs" ino=311693 scontext=system_u:system_r: Oct 03 13:02:27 maa.s.juvonen.org nginx[4564]: nginx: configuration file /etc/nginx/nginx.conf test failed Oct 03 13:02:27 maa.s.juvonen.org systemd[1]: nginx.service: Control process exited, code=exited status=1 Oct 03 13:02:27 maa.s.juvonen.org systemd[1]: Failed to start The nginx HTTP and reverse proxy server. -- Subject: Unit nginx.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit nginx.service has failed. -- -- The result is failed. Oct 03 13:02:27 maa.s.juvonen.org systemd[1]: nginx.service: Unit entered failed state. Oct 03 13:02:27 maa.s.juvonen.org systemd[1]: nginx.service: Failed with result 'exit-code'. Expected results: nginx starts. Additional info: Workaround as follows: - echo 'd /var/run/nginx 710 root nginx' > /etc/tmpfiles.d/nginx.conf - systemd-tmpfiles --create - semanage fcontext -a -e /var/run/httd /var/run/nginx - systemctl edit nginx, then add these lines: [Service] PIDFile=/run/nginx/nginx.pid - perl -pi.bk -e 's!^pid.*!pid /run/nginx/nginx.pid!' nginx.conf
I was unable to reproduce your issue on a fresh "minimal install" of F23 beta with nginx installed (without any modification). The file "/var/run/nginx.pid" should be created with the context "httpd_var_run_t": # semanage fcontext -l | grep run/nginx /var/run/nginx.* all files system_u:object_r:httpd_var_run_t:s0 I was actually able to reproduce your error (on F23 and F22) if I did the following: # systemctl stop nginx # touch /run/nginx.pid # ls -Z /run/nginx.pid | cut -d':' -f3 var_run_t # systemctl start nginx Nginx works if I do this instead: # systemctl stop nginx # touch /run/nginx.pid # restorecon -v /run/nginx.pid # ls -Z /run/nginx.pid | cut -d':' -f3 httpd_var_run_t # systemctl start nginx So, it seems that somewhere along the line, your system is creating /run/nginx.pid with the wrong SELinux context. I've just remembered that `nginx -t` creates the file /run/nginx.pid if it doesn't exist, so it's likely that this is the culprit. `nginx -t` is executed by ExecStartPre (in nginx.service) and creates /run/nginx.pid with the correct SELinux context. However, when manually running `nginx -t` from the cmdline, the SELinux transition for systemd services doesn't occur and /run/nginx.pid is created with the wrong SELinux context. One solution (as you suggested) is to put the PID file in a subdirectory which already has the correct SELinux context and thus all files created in the subdirectory will inherit this context (even if created from the cmdline). However, I'd like to avoid moving the PID file, as it's been located at /run/nginx.pid on all major Linux distributions since nginx began and may potentially break user scripts. I propose an alternative solution: ExecStartPre=/usr/bin/rm -f /run/nginx.pid ExecStartPre=/usr/sbin/nginx -t Updates to follow.
nginx-1.8.0-14.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-aaebe96f2d
nginx-1.8.0-11.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7c12d601d2
nginx-1.8.0-14.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update nginx' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-aaebe96f2d
nginx-1.6.3-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'yum --enablerepo=epel-testing update nginx' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-5c13016aed
nginx-1.8.0-11.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update nginx' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7c12d601d2
nginx-1.8.0-14.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.8.0-11.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.6.3-7.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.