Description of problem: Fresh install of F28 with nginx fails to start with systemctl start nginx Version-Release number of selected component (if applicable): nginx-1.12.1-5.fc28.x86_64 How reproducible: Always Steps to Reproduce: 1. Ensure selinux is enforcing 2. Install nginx 3. systemctl nginx start 4. ausearch -m AVC 5. setenforce 0 6. systemctl nginx start Actual results: ● nginx.service - The nginx HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2018-04-04 11:09:52 UTC; 5s ago Process: 10268 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE) Process: 10267 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS) Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: Starting The nginx HTTP and reverse proxy serv> Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: nginx: [alert] could not open error log file> Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: 2018/04/04 11:09:52 [warn] 10268#0: could no> Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: nginx: the configuration file /etc/nginx/ngi> Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: 2018/04/04 11:09:52 [emerg] 10268#0: mkdir()> Apr 04 11:09:52 f28-oc-nginx-mysql.local.test nginx[10268]: nginx: configuration file /etc/nginx/nginx.c> Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: nginx.service: Control process exited, code=ex> Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: nginx.service: Failed with result 'exit-code'. Apr 04 11:09:52 f28-oc-nginx-mysql.local.test systemd[1]: Failed to start The nginx HTTP and reverse pro> Expected results: ● nginx.service - The nginx HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2018-04-04 11:10:04 UTC; 2s ago Process: 10278 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS) Process: 10277 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS) Process: 10276 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS) Main PID: 10279 (nginx) Tasks: 2 (limit: 4705) Memory: 2.2M CGroup: /system.slice/nginx.service ├─10279 nginx: master process /usr/sbin/nginx └─10280 nginx: worker process Apr 04 11:10:04 f28-oc-nginx-mysql.local.test systemd[1]: Starting The nginx HTTP and reverse proxy serv> Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10277]: nginx: [warn] could not build optimal types_> Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10277]: nginx: the configuration file /etc/nginx/ngi> Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10277]: nginx: configuration file /etc/nginx/nginx.c> Apr 04 11:10:04 f28-oc-nginx-mysql.local.test nginx[10278]: nginx: [warn] could not build optimal types_> Apr 04 11:10:04 f28-oc-nginx-mysql.local.test systemd[1]: nginx.service: Failed to parse PID from file /> Apr 04 11:10:04 f28-oc-nginx-mysql.local.test systemd[1]: Started The nginx HTTP and reverse proxy serve> Additional info: type=AVC msg=audit(1522839197.971:737): avc: denied { dac_override } for pid=9700 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1522839197.986:738): avc: denied { dac_override } for pid=9700 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1522840366.011:787): avc: denied { dac_override } for pid=9747 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1522840365.996:786): avc: denied { dac_override } for pid=9747 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1522840667.920:794): avc: denied { dac_override } for pid=9785 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1522840667.935:795): avc: denied { dac_override } for pid=9785 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1522840674.092:801): avc: denied { dac_override } for pid=9793 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1522840674.107:802): avc: denied { dac_override } for pid=9793 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1522840790.749:807): avc: denied { dac_override } for pid=9804 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1 Interestingly once it is run once under permissive it appears to start and stop fine regardless of selinux status after that.
nginx-1.12.1-8.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06
nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06
nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.