CentOS 6.6, SELinux breaks Nginx 1.6.0

Server NGINX
1

We have been successfully running Nginx installed from the official
Nginx
CentOS repositories for ages. Last night I upgraded two of my Nginx
1.6.0
servers from CentOS 6.5 to CentOS 6.6 and SELinux immediately broke just
about everything with Nginx. At first it wouldn’t let it read the SSL
certs,
then it wouldn’t allow it to read the proxy upstream server. The only
way I
can get it working is to disable SELinux via setenforce 0, which is a
no-no
because these servers are internet facing.

I have a lengthy post in the CentOS forums which you can see here:
https://www.centos.org/forums/viewtopic.php?f=13&t=49280

I will try and summarize some of the errors:

[root@host ssl]# service nginx restart
nginx: [emerg] BIO_new_file(“/srv/ssl/cert-rekey/cert-rekey.crt”) failed
(SSL: error:0200100D:system library:fopen:Permission
denied:fopen(‘/srv/ssl/cert-rekey/cert-rekey.crt’,‘r’)
error:2006D002:BIO
routines:BIO_new_file:system lib)

I was able to work around this by copying the files into /etc/nginx/ssl.
Attempting to use a restorecon on /srv/ssl didn’t resolve the issue.
After
making the change above, Nginx will successfully start, but then
receives
the following error when trying to proxy to my upstream server:

2014/10/29 20:35:27 [crit] 4407#0: *1 connect() to 10.0.3.15:8080 failed
(13: Permission denied) while connecting to upstream, client:
10.0.6.102,
server: dev.upstream, request: “GET /home HTTP/1.1”, upstream:
http://10.0.3.15:8080/home”, host: “dev.upstream.com

In the latter case, disabling SELinux via setenforce 0 immediately
resolves
the issue, without restarting the Nginx daemon.

Another user in my CentOS thread is reporting the same behavior and I am
seeing it on two independent Nginx servers as well. I attempted to
uninstall
and re-install the Nginx package via the Nginx yum repository (hoping it
would restore the SELinux context) but that produced the same result.

Here is the output of ls -lrtZ /etc/nginx:

-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 win-utf
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 uwsgi_params
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 scgi_params
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 mime.types
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 koi-win
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 koi-utf
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 fastcgi_params
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0
nginx.conf.rpmsave
drw-------. root root unconfined_u:object_r:httpd_config_t:s0 ssl
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
-rw-r–r–. root root unconfined_u:object_r:httpd_config_t:s0 nginx.conf

Posted at Nginx Forum:

2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Something wrong on your policy?

$ cat /etc/issue
CentOS release 6.6 (Final)
Kernel \r on an \m

$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted

$ ls -lZ /etc/nginx/conf.d

  • -rw-r–r–. root root system_u:object_r:etc_t:s0 default.conf
  • -rw-r–r–. root root system_u:object_r:etc_t:s0
    default.conf-orig
  • -rw-r–r–. root root system_u:object_r:etc_t:s0
    default.conf.rpmnew
  • -rw-r–r–. root root system_u:object_r:etc_t:s0
    example_ssl.conf
  • -rw-r–r–. root root system_u:object_r:etc_t:s0
    example_ssl.conf.orig
  • -rw-r–r–. root root system_u:object_r:etc_t:s0 pagespeed.conf
  • -rw-r–r–. root root system_u:object_r:etc_t:s0
    pagespeed.conf.rpmnew
  • -rw-r–r–. root root system_u:object_r:etc_t:s0 proxy.conf
  • -rw-r–r–. root root system_u:object_r:etc_t:s0 ssl.conf

IMHO, SELinux won’t change your saved policy (unless you don’t save it).

On 10/30/2014 21:48, mevans336 wrote:

Upgrade to 6.6 Changes Nginx/SELinux Interaction? - CentOS
/etc/nginx/ssl. Attempting to use a restorecon on /srv/ssl didn’t
In the latter case, disabling SELinux via setenforce 0 immediately
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 win-utf
system_u:object_r:httpd_config_t:s0 conf.d -rw-r–r–. root root
unconfined_u:object_r:httpd_config_t:s0 nginx.conf

Posted at Nginx Forum:
CentOS 6.6, SELinux breaks Nginx 1.6.0

_______________________________________________ nginx mailing list
[email protected] nginx Info Page

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUUnH5AAoJEF1+odKB6YIxtHIH/2QBhK9Ipm99z+i7sC+BsKai
aB4cBrKnxLI5QZM12Ll5qyelItrGIonQV6UvTvUu7b9dPSA8xCaKprCzxs+X2LhZ
tCsReItC4sHHnSlpfBA61q0EZyWrFGNjpvrkzV2SSdIeah/Ul21o1FRGkgfwGh93
6sI7E3li1qviF0gqRhODYSKmQatOiKEoupoftIkFumfS8edh7Xz+4QR+j2kPJ26c
oFvpjxxlR9HqOx9CjLl75IgtWfXhQBV93ifVJgwOPUV1+IJuz3XH6sLWkq4BydyD
3fXBSG91Lsm7Ucnr9u9YfAeeKWFlhb2S5uQd2fAMmODWnhwAoMFqFZJRKl3h4TE=
=Old8
-----END PGP SIGNATURE-----

3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

By default nginx drops as pasted before, nginx never drops the file
types as httpd_config_t.

If you never needed SELinux and didn’t familiar with it, just
disabled. But, it not recommended to you to disable them. Good luck!

On 10/31/2014 01:05, mevans336 wrote:

of the Nginx package fix it?
unconfined_u:object_r:httpd_config_t:s0 default.conf.orig
are fine, mail daemons, monitoring servers, etc.

Posted at Nginx Forum:
Re: CentOS 6.6, SELinux breaks Nginx 1.6.0

_______________________________________________ nginx mailing list
[email protected] nginx Info Page

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUUoJzAAoJEF1+odKB6YIx1A0H/iPpCFl09X4YFX6Y2C53yClX
ywEm8pVJ2HeqMbr3PSPYT2zHW0EgbiICiTHvw+hEAdUAB4g4PNOC3xRlqKabCV0N
XzCNKR1jbFYZUiNNTDT90K8AaeB4xnj9hdK00Al9gN37AKpQCLErKTAHGQ1q9Syj
l6rYHjoIGLU7rXgvzfFYUCrqQUu1LbsgY8k9hZgws92XhIPHaPrUuWGALv4tUAa9
zkE+AmF8zyHIrfP0jpGO/A+uueepP18QBNnM67DjfFMtfW1O1LAKbg6dARVEBAn/
Kt5HKkjeRXaE+LogL4eUWAqnI5RlLCBrY94WZQ4u84RmdwKu+SFr0djjQ5ebeXE=
=/APF
-----END PGP SIGNATURE-----

4

That’s the thing, I’ve never needed to set an SELinux policy. These are
single purpose servers, they run Nginx and that’s it. I’ve always
installed
Nginx, configured the .conf files for Nginx, and off it went. I’ve never
needed to disable SELinux and actually, since I perform a minimal
install of
SELinux, the policy control tools aren’t even installed.

If it were a policy issue, why doesn’t a restorecon -v -R fix it? Why
would
upgrading from CentOS 6.5 to 6.6 break a policy that I never touched?
And
lastly, why wouldn’t an uninstall and reinstall of the Nginx package fix
it?

I’m genuinely stumped.

FWIW, it looks like the files that I created have a different security
context than the files that Nginx drops:

ls -lZ /etc/nginx/conf.d

-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 default.conf
-rw-r–r–. root root unconfined_u:object_r:httpd_config_t:s0
default.conf.orig
-rw-r–r–. root root unconfined_u:object_r:httpd_config_t:s0
dev-ls.conf
-rw-r–r–. root root unconfined_u:object_r:httpd_config_t:s0
dev-web.conf
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0
example_ssl.conf
-rw-r–r–. root root unconfined_u:object_r:httpd_config_t:s0
example_ssl.conf.orig

The reason I am posting here as well as the CentOS forums, is that we
upgraded our entire development environment to 6.6 and the only 3rd
party
program that is having issues is Nginx. Our Java servers are fine, mail
daemons, monitoring servers, etc.

Posted at Nginx Forum:

5

An upgrade to Centos 6.6 seems to relabel the standard directories used
by
nginx with “httpd_” tags.

I have two Centos systems nginx installed from the nginx repo. Both were
at
version 6.5 and showed,

ls -lZ /etc/nginx/
drwxr-xr-x. root root system_u:object_r:etc_t:s0 conf.d
. . .
-rw-r–r–. root root system_u:object_r:etc_t:s0 nginx.conf
. . .
and
ls -lZ /var/log/nginx/
. . .
-rw-r-----. webs adm unconfined_u:object_r:var_log_t:s0 error.log
. . .

Then I updated one system to Centos 6.6. Nothing else. I didn’t change
nginx
at all, just ran “yum update”. Then
ls -lZ /etc/nginx
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
. . .
-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 nginx.conf
. . .
ls -lZ /var/log/nginx/
. . .
-rw-r-----. webs adm unconfined_u:object_r:httpd_log_t:s0 error.log
. . .

If I use anything outside of the standard locations I must label it
myself
or an nging restart will fail. For example, my socket for php-fpm fails.
I
place logs in a different directory (not /var/log/nginx/) and so they
fail
too.

Posted at Nginx Forum:

6

Thank you Richard. I have shared your post in my thread in the CentOS
forums.

For now, to work around the issue, CentOS forum user sercan has provided
the
following commands to create a new SELinux policy for Nginx. I’ve tested
it
on two of my servers and it works.

  • Make sure you have the policycoreutils-python package installed (yum
    install policycoreutils-python), then run the following 3 commands:
  1. grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx.te
  2. grep nginx /var/log/audit/audit.log | audit2allow -M nginx
  3. semodule -i nginx.pp

Posted at Nginx Forum:

7

Then that is something that is different with respect to CentOS 6.6,
because
the default.conf was just dropped when I re-installed it from the Nginx
yum
repository.

-rw-r–r–. root root system_u:object_r:httpd_config_t:s0 default.conf
-rw-r–r–. root root unconfined_u:object_r:httpd_config_t:s0
default.conf.orig

The default.conf above was dropped by a fresh install of the nginx
package.
The default.conf.orig was from my previous installation, where I renamed
default.conf to default.conf.orig.

I definitely don’t want to disable SELinux, as these are Internet facing
servers.

Perhaps my next step should be to compile Nginx from source and see if
it
results in the same errors.

Posted at Nginx Forum:

8

As a follow up, if you are using NginX as a proxy, you might need a few
more
things. Here is a preliminary template of a type enforcement I’ve
created
for NginX to alleviate these issues. You can use this Type Enforcement
file
to generate an SELinux module, package it up, and load it.

module nginx 1.0;

require {
type httpd_t;
type http_cache_port_t;
type port_t;
class process setrlimit;
class tcp_socket name_connect;
class capability sys_resource;
}

#============= httpd_t ==============

#!!! This avc can be allowed using one of the these booleans:

allow_ypbind, httpd_can_network_connect

allow httpd_t port_t:tcp_socket name_connect;

#!!! This avc can be allowed using one of the these booleans:

httpd_can_network_relay, httpd_can_network_connect

allow httpd_t http_cache_port_t:tcp_socket name_connect;

#!!! This avc can be allowed using the boolean ‘httpd_setrlimit’
allow httpd_t self:process setrlimit;

#!!! This avc can be allowed using one of the these booleans:

httpd_run_stickshift, httpd_setrlimit

allow httpd_t self:capability sys_resource;

Posted at Nginx Forum:

9

You can use something like this to handle project directories.

$PROJECT_DIR=/srv/myproject

semanage fcontext -a -t httpd_sys_content_t “$PROJECT_DIR(/.*)?”
if [ -d “$PROJECT_DIR” ]; then
restorecon -R “$PROJECT_DIR”
fi

Posted at Nginx Forum:

10

For now, to work around the issue, CentOS forum user sercan has provided
the following commands to create
a new SELinux policy for Nginx. I’ve tested it on two of my servers and it
works.
. . .

And there’s one more quick workaround to get running very quickly. Not
entirely recommended since this turns off SELinux for nginx (while
leaving
it on for everything else).

semanage permissive -a httpd_t

With this setting I expect the audit.log file will fill quickly with
many
warning messages. Another reason why it is not a great idea except for
emergencies. But it worked for me as a quick test. (Don’t forget to set
it
back to enforcing later).

Richard

Posted at Nginx Forum:

11

I’ve verified that the update to Centos 6.6 does indeed relabel nginx
related directories/files during yum update. And a restart of the nginx
process will now have the label “httpd_t”. Someone in RH decided to make
the
nginx webserver follow the same SELinux policy rules as Apache.

OK, that works fine so long as all the needed directories/files are in
the
expected places. It also opens up some standard approaches for common
options. For example,

I place my web site files under /home/webs/. I can make that work by
setting
a boolean (the -P makes this persist across reboots)
# setsebool -P httpd_enable_homedirs on

I also wanted to use a non-standard port 8088 for PHPMyAdmin. I achieve
that
with
# semanage port -a -t http_port_t -p tcp 8088

Other things:
I want to place my log files in a new location, not /var/log/nginx. I
can
use the semanage and restorecon lines shown above by bdwyertech, and
that
works fine for nginx. But logrotate and logwatch fail. So now I need to
create new policies for them using the same audit2allow approach that
you
already mentioned but with different policy names.

I use a unix socket to connect with php-fpm. That has to be in a
standard
directory too. For now I put it in /var/run/.

Finally, PHPMyAdmin uses PHP sessions and my session directory is in a
non-standard location. Again I had to use semanage and restorecon to
make
the session directory usable.

Whew! It all works now.
In future, perhaps I should let all directories/files stay in their
default
locations.

Richard

Posted at Nginx Forum:

12

richardm Wrote:

[…]Someone in RH decided
to make the nginx webserver follow the same SELinux policy rules as
Apache.

Thanks for following up on this Richard. Undisclosed changes like this
drive
me crazy … why make changes like this and then not disclose them in
the
release notes?

shakes fist at Red Hat :slight_smile:

Posted at Nginx Forum: