SeLinux stops starting of nginx

user7943875 asked:

Reboted nginx proxy server (centos7+nginx only, apache on another) I got error:

  DOMAIN systemd[1]: Starting Session 439 of user root.
-- Subject: Unit session-439.scope has begun start-up
-- Defined-By: systemd
--
-- Unit session-439.scope has begun starting up.
Jun 08 06:30:02 DOMAIN CROND[16408]: (root) CMD (/usr/local/sbin/script.sh)
Jun 08 06:30:02 DOMAIN CROND[16409]: (root) CMD (/usr/local/bin/script.pl >/dev/null)
Jun 08 06:31:31 DOMAIN sshd[16419]: Connection closed by 10.1.1.3 [preauth]
Jun 08 06:33:40 DOMAIN run-parts(/etc/cron.daily)[16439]: finished 0yum-daily.cron
Jun 08 06:33:40 DOMAIN run-parts(/etc/cron.daily)[16441]: starting logrotate
Jun 08 06:33:45 DOMAIN run-parts(/etc/cron.daily)[16505]: finished logrotate
Jun 08 06:33:45 DOMAIN run-parts(/etc/cron.daily)[16507]: starting man-db.cron
Jun 08 06:33:47 DOMAIN run-parts(/etc/cron.daily)[16516]: finished man-db.cron
Jun 08 06:33:47 DOMAIN run-parts(/etc/cron.daily)[16518]: starting update-ocsp
Jun 08 06:33:56 DOMAIN systemd[1]: Stopping nginx - high performance web server...
-- Subject: Unit nginx.service has begun shutting down
-- Defined-By: systemd
-- Unit nginx.service has begun shutting down.
Jun 08 06:33:56 DOMAIN systemd[1]: Starting nginx - high performance web server...
-- Subject: Unit nginx.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nginx.service has begun starting up.
Jun 08 06:33:56 DOMAIN nginx[16568]: nginx: [emerg] BIO_new_file("/etc/nginx/ssl/client-ocsp.pem") failed (SSL: error:0200100D:system library:fopen:Permission den
Jun 08 06:33:56 DOMAIN nginx[16568]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jun 08 06:33:56 DOMAIN systemd[1]: nginx.service: control process exited, code=exited status=1
Jun 08 06:33:56 DOMAIN systemd[1]: Failed to start nginx - high performance web server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Unit nginx.service has failed.
-- The result is failed.

After restorecon -R -v /etc/nginx/ssl/ and restorecon -R -v /etc/nginx/ssl/*.pem

Nginx started, today was updated ocsp what worked years before, afrer nginx restart i have got same permission denied error.

How it can solve? It’s production server, little bit scare to experiment with it
Thanks

My answer:


SELinux does not expect certificates to be placed in the /etc/nginx directory, so if you place them there they may come up with the wrong contexts.

Store your certificates in the default directory structure under /etc/pki/tls. If you use Let’s Encrypt, and have installed the certbot package, then you can also use /etc/letsencrypt.

Files may also have the wrong context if you mv them instead of cp. On SELinux enabled systems, always remember to copy files and then delete the original if it needs to be deleted, or use mv -Z.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.