Hide Forgot
Description of problem: the `nginx -t` config syntax check command attempts to open the file /var/log/nginx/error.log rw as root in the default systemd nginx.service. however, this file can be owned by nginx:nginx with permissions of 064x. the current policy prevents nginx from having dac_override which results in nginx -t failing and thus preventing the nginx service from starting. Version-Release number of selected component (if applicable): nginx: 1.12.1 selinux-policy: 3.14.1 How reproducible: always, after doing the following steps. Steps to Reproduce: 1. ensure /var/log/nginx is readable, writeable and executable by root (acl or group permissions, either work.) 2. rm /var/log/nginx/error.log 3. systemctl start nginx.service 5. either force a logrotate on error.log or more easily... rm /var/log/nginx/error.log 6. systemctl kill --signal=USR1 nginx.service 7. check that /var/log/nginx/error.log is owned by nginx with 064x permissions. 8. systemctl restart nginx.service Actual results: last step will result in a failure with text -> systemctl restart nginx Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details. error text in journald -> May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied) May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: 2018/05/03 12:27:55 [emerg] 11158#0: open() "/var/log/nginx/error.log" failed (13: Permission denied) May 03 12:27:55 adlinux.sim.gilbarco.com nginx[11158]: nginx: configuration file /etc/nginx/nginx.conf test failed May 03 12:27:55 adlinux.sim.gilbarco.com systemd[1]: nginx.service: Control process exited, code=exited status=1 May 03 12:27:55 adlinux.sim.gilbarco.com systemd[1]: nginx.service: Failed with result 'exit-code'. May 03 12:27:55 adlinux.sim.gilbarco.com systemd[1]: Failed to start The nginx HTTP and reverse proxy server. The selinux denial... ausearch -m avc --start recent -> type=AVC msg=audit(1525364875.037:698): avc: denied { dac_override } for pid=11158 comm="nginx" capability=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 Expected results: nginx service restarts without issue. Additional info: the easy solution would be to grant dac_override to nginx, but that seems incredibly overkill.
Looks like a duplicate of #1573942
nginx-1.12.1-8.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06
nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6666e4cf06
nginx-1.12.1-8.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.