-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Something wrong on your policy? $ cat /etc/issue CentOS release 6.6 (Final) Kernel \r on an \m $ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted $ ls -lZ /etc/nginx/conf.d - -rw-r--r--. root root system_u:object_r:etc_t:s0 default.conf - -rw-r--r--. root root system_u:object_r:etc_t:s0 default.conf-orig - -rw-r--r--. root root system_u:object_r:etc_t:s0 default.conf.rpmnew - -rw-r--r--. root root system_u:object_r:etc_t:s0 example_ssl.conf - -rw-r--r--. root root system_u:object_r:etc_t:s0 example_ssl.conf.orig - -rw-r--r--. root root system_u:object_r:etc_t:s0 pagespeed.conf - -rw-r--r--. root root system_u:object_r:etc_t:s0 pagespeed.conf.rpmnew - -rw-r--r--. root root system_u:object_r:etc_t:s0 proxy.conf - -rw-r--r--. root root system_u:object_r:etc_t:s0 ssl.conf IMHO, SELinux won't change your saved policy (unless you don't save it). On 10/30/2014 21:48, mevans336 wrote: > We have been successfully running Nginx installed from the official > Nginx CentOS repositories for ages. Last night I upgraded two of my > Nginx 1.6.0 servers from CentOS 6.5 to CentOS 6.6 and SELinux > immediately broke just about everything with Nginx. At first it > wouldn't let it read the SSL certs, then it wouldn't allow it to > read the proxy upstream server. The only way I can get it working > is to disable SELinux via setenforce 0, which is a no-no because > these servers are internet facing. > > I have a lengthy post in the CentOS forums which you can see here: > https://www.centos.org/forums/viewtopic.php?f=13&t=49280 > > I will try and summarize some of the errors: > > ---- [root@host ssl]# service nginx restart nginx: [emerg] > BIO_new_file("/srv/ssl/cert-rekey/cert-rekey.crt") failed (SSL: > error:0200100D:system library:fopen:Permission > denied:fopen('/srv/ssl/cert-rekey/cert-rekey.crt','r') > error:2006D002:BIO routines:BIO_new_file:system lib) ---- > > I was able to work around this by copying the files into > /etc/nginx/ssl. Attempting to use a restorecon on /srv/ssl didn't > resolve the issue. After making the change above, Nginx will > successfully start, but then receives the following error when > trying to proxy to my upstream server: > > ---- 2014/10/29 20:35:27 [crit] 4407#0: *1 connect() to > 10.0.3.15:8080 failed (13: Permission denied) while connecting to > upstream, client: 10.0.6.102, server: dev.upstream, request: "GET > /home HTTP/1.1", upstream: "http://10.0.3.15:8080/home";, host: > "dev.upstream.com" ---- > > In the latter case, disabling SELinux via setenforce 0 immediately > resolves the issue, without restarting the Nginx daemon. > > Another user in my CentOS thread is reporting the same behavior and > I am seeing it on two independent Nginx servers as well. I > attempted to uninstall and re-install the Nginx package via the > Nginx yum repository (hoping it would restore the SELinux context) > but that produced the same result. > > Here is the output of ls -lrtZ /etc/nginx: > > -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 win-utf > -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 > uwsgi_params -rw-r--r--. root root > system_u:object_r:httpd_config_t:s0 scgi_params -rw-r--r--. root > root system_u:object_r:httpd_config_t:s0 mime.types -rw-r--r--. > root root system_u:object_r:httpd_config_t:s0 koi-win -rw-r--r--. > root root system_u:object_r:httpd_config_t:s0 koi-utf -rw-r--r--. > root root system_u:object_r:httpd_config_t:s0 fastcgi_params > -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 > nginx.conf.rpmsave drw-------. root root > unconfined_u:object_r:httpd_config_t:s0 ssl drwxr-xr-x. root root > system_u:object_r:httpd_config_t:s0 conf.d -rw-r--r--. root root > unconfined_u:object_r:httpd_config_t:s0 nginx.conf > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,254456,254456#msg-254456 > > _______________________________________________ nginx mailing list > [email protected] http://mailman.nginx.org/mailman/listinfo/nginx > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJUUnH5AAoJEF1+odKB6YIxtHIH/2QBhK9Ipm99z+i7sC+BsKai aB4cBrKnxLI5QZM12Ll5qyelItrGIonQV6UvTvUu7b9dPSA8xCaKprCzxs+X2LhZ tCsReItC4sHHnSlpfBA61q0EZyWrFGNjpvrkzV2SSdIeah/Ul21o1FRGkgfwGh93 6sI7E3li1qviF0gqRhODYSKmQatOiKEoupoftIkFumfS8edh7Xz+4QR+j2kPJ26c oFvpjxxlR9HqOx9CjLl75IgtWfXhQBV93ifVJgwOPUV1+IJuz3XH6sLWkq4BydyD 3fXBSG91Lsm7Ucnr9u9YfAeeKWFlhb2S5uQd2fAMmODWnhwAoMFqFZJRKl3h4TE= =Old8 -----END PGP SIGNATURE----- _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
