Bug 1268621 - nginx PID file setting fails with SELinux (default config). Fix/workaround included.
nginx PID file setting fails with SELinux (default config). Fix/workaround in...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: nginx (Show other bugs)
23
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Jamie Nguyen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-03 17:13 EDT by Sami Juvonen
Modified: 2015-11-06 23:08 EST (History)
8 users (show)

See Also:
Fixed In Version: nginx-1.8.0-14.fc23 nginx-1.8.0-11.fc22 nginx-1.6.3-7.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-04 15:55:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sami Juvonen 2015-10-03 17:13:49 EDT
Description of problem: with SELinux enabled in targeted mode, nginx fails to start because it cannot write to /run/nginx.pid.


Version-Release number of selected component (if applicable):
Fedora 23 beta (updated as of 10/02)
nginx 1.8.0-13.fc23

How reproducible: always


Steps to Reproduce:
1. enable selinux
2. install nginx
3. systemctl start nginx

Actual results:
Oct 03 13:02:27 maa.s.juvonen.org nginx[4564]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Oct 03 13:02:27 maa.s.juvonen.org nginx[4564]: nginx: [emerg] open() "/run/nginx.pid" failed (13: Permission denied)
Oct 03 13:02:27 maa.s.juvonen.org audit[4564]: AVC avc:  denied  { read write } for  pid=4564 comm="nginx" name="nginx.pid" dev="tmpfs" ino=311693 scontext=system_u:system_r:
Oct 03 13:02:27 maa.s.juvonen.org nginx[4564]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 03 13:02:27 maa.s.juvonen.org systemd[1]: nginx.service: Control process exited, code=exited status=1
Oct 03 13:02:27 maa.s.juvonen.org systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nginx.service has failed.
--
-- The result is failed.
Oct 03 13:02:27 maa.s.juvonen.org systemd[1]: nginx.service: Unit entered failed state.
Oct 03 13:02:27 maa.s.juvonen.org systemd[1]: nginx.service: Failed with result 'exit-code'.


Expected results: nginx starts.


Additional info: 
Workaround as follows:
- echo 'd /var/run/nginx 710 root nginx' > /etc/tmpfiles.d/nginx.conf
- systemd-tmpfiles --create
- semanage fcontext -a -e /var/run/httd /var/run/nginx
- systemctl edit nginx, then add these lines:
[Service]
PIDFile=/run/nginx/nginx.pid
- perl -pi.bk -e 's!^pid.*!pid /run/nginx/nginx.pid!' nginx.conf
Comment 1 Jamie Nguyen 2015-10-04 03:37:23 EDT
I was unable to reproduce your issue on a fresh "minimal install" of F23 beta with nginx installed (without any modification).

The file "/var/run/nginx.pid" should be created with the context "httpd_var_run_t":

  # semanage fcontext -l | grep run/nginx
  /var/run/nginx.*    all files    system_u:object_r:httpd_var_run_t:s0

I was actually able to reproduce your error (on F23 and F22) if I did the following:

  # systemctl stop nginx
  # touch /run/nginx.pid
  # ls -Z /run/nginx.pid | cut -d':' -f3
  var_run_t
  # systemctl start nginx

Nginx works if I do this instead:

  # systemctl stop nginx
  # touch /run/nginx.pid
  # restorecon -v /run/nginx.pid
  # ls -Z /run/nginx.pid | cut -d':' -f3
  httpd_var_run_t
  # systemctl start nginx

So, it seems that somewhere along the line, your system is creating /run/nginx.pid with the wrong SELinux context.

I've just remembered that `nginx -t` creates the file /run/nginx.pid if it doesn't exist, so it's likely that this is the culprit. `nginx -t` is executed by ExecStartPre (in nginx.service) and creates /run/nginx.pid with the correct SELinux context. However, when manually running `nginx -t` from the cmdline, the SELinux transition for systemd services doesn't occur and /run/nginx.pid is created with the wrong SELinux context.

One solution (as you suggested) is to put the PID file in a subdirectory which already has the correct SELinux context and thus all files created in the subdirectory will inherit this context (even if created from the cmdline). However, I'd like to avoid moving the PID file, as it's been located at /run/nginx.pid on all major Linux distributions since nginx began and may potentially break user scripts.

I propose an alternative solution:

  ExecStartPre=/usr/bin/rm -f /run/nginx.pid
  ExecStartPre=/usr/sbin/nginx -t

Updates to follow.
Comment 2 Fedora Update System 2015-10-04 04:30:40 EDT
nginx-1.8.0-14.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-aaebe96f2d
Comment 3 Fedora Update System 2015-10-04 04:30:45 EDT
nginx-1.8.0-11.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7c12d601d2
Comment 4 Fedora Update System 2015-10-04 22:51:57 EDT
nginx-1.8.0-14.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update nginx'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-aaebe96f2d
Comment 5 Fedora Update System 2015-10-05 00:20:49 EDT
nginx-1.6.3-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update nginx'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-5c13016aed
Comment 6 Fedora Update System 2015-10-05 11:20:37 EDT
nginx-1.8.0-11.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update nginx'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7c12d601d2
Comment 7 Fedora Update System 2015-11-04 15:55:07 EST
nginx-1.8.0-14.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-11-04 17:23:53 EST
nginx-1.8.0-11.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-11-06 23:08:01 EST
nginx-1.6.3-7.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.