1563635 – Selinux blocks a first run of nginx

Bug 1563635 - Selinux blocks a first run of nginx

Summary: Selinux blocks a first run of nginx

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nginx
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Nobody's working on this, feel free to take it
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-04 11:22 UTC by James Hogarth
Modified:	2020-11-05 09:31 UTC (History)
CC List:	15 users (show)
Fixed In Version:	nginx-1.12.1-8.fc28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-18 16:17:03 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description James Hogarth 2018-04-04 11:22:30 UTC

Description of problem:
Fresh install of F28 with nginx fails to start with systemctl start nginx



Version-Release number of selected component (if applicable):
nginx-1.12.1-5.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Ensure selinux is enforcing
2. Install nginx
3. systemctl nginx start
4. ausearch -m AVC
5. setenforce 0
6. systemctl nginx start

Actual results:
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2018-04-04 11:09:52 UTC; 5s ago
  Process: 10268 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
  Process: 10267 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)

Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: Starting The nginx HTTP and reverse proxy serv>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: nginx: [alert] could not open error log file>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: 2018/04/04 11:09:52 [warn] 10268#0: could no>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: nginx: the configuration file /etc/nginx/ngi>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: 2018/04/04 11:09:52 [emerg] 10268#0: mkdir()>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: nginx: configuration file /etc/nginx/nginx.c>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: nginx.service: Control process exited, code=ex>
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: nginx.service: Failed with result 'exit-code'.
Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: Failed to start The nginx HTTP and reverse pro>


Expected results:
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-04-04 11:10:04 UTC; 2s ago
  Process: 10278 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 10277 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 10276 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 10279 (nginx)
    Tasks: 2 (limit: 4705)
   Memory: 2.2M
   CGroup: /system.slice/nginx.service
           ├─10279 nginx: master process /usr/sbin/nginx
           └─10280 nginx: worker process

Apr 04 11:10:04 f28-oc-nginx-mysql.local.test systemd[1]: Starting The nginx HTTP and reverse proxy serv>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10277]: nginx: [warn] could not build optimal types_>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10277]: nginx: the configuration file /etc/nginx/ngi>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10277]: nginx: configuration file /etc/nginx/nginx.c>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10278]: nginx: [warn] could not build optimal types_>
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test systemd[1]: nginx.service: Failed to parse PID from file />
Apr 04 11:10:04 f28-oc-nginx-mysql.local.test systemd[1]: Started The nginx HTTP and reverse proxy serve>


Additional info:
type=AVC msg=audit(1522839197.971:737): avc:  denied  { dac_override } for  pid=9700 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522839197.986:738): avc:  denied  { dac_override } for  pid=9700 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840366.011:787): avc:  denied  { dac_override } for  pid=9747 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840365.996:786): avc:  denied  { dac_override } for  pid=9747 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840667.920:794): avc:  denied  { dac_override } for  pid=9785 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840667.935:795): avc:  denied  { dac_override } for  pid=9785 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840674.092:801): avc:  denied  { dac_override } for  pid=9793 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840674.107:802): avc:  denied  { dac_override } for  pid=9793 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1522840790.749:807): avc:  denied  { dac_override } for  pid=9804 comm="nginx" capability=1  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1

Interestingly once it is run once under permissive it appears to start and stop fine regardless of selinux status after that.

Comment 1 Fedora Update System 2018-05-14 13:45:54 UTC

nginx-1.12.1-8.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06

Comment 2 Fedora Update System 2018-05-14 20:40:10 UTC

nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06

Comment 3 Fedora Update System 2018-06-18 16:17:03 UTC

nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.