NGINX on CentOS 7 with SELinux issues

Overview

Sometimes you just need a quick reference of the last time you did something seemingly easy but every time you come back to it you’re like… wtf?! Anyway, notes for those times.

DISCLAIMER: THESE ARE MY NOTES OF WHAT I DID… NOT WHAT YOU SHOULD DO. YOU ARE SMART ENOUGH TO LOOK THINGS UP ON THE INTERNET YOURSELF. YOU’RE A BIG BOY. THESE ARE MY “NOTES”, A DIARY OF WHAT I DID IF YOU WILL. YOU ARE FREE TO OFFER SOME SUGGESTIONS IN THE COMMENTS BOX AND I WILL GLADLY LEARN FROM YOU. OTHERWISE, THESE. ARE. JUST. MY. NOTES.

install nginx from epel-release

yum install epel-release
yum -y install nginx
service nginx start
systemctl enable nginx

enable firewall-cmd

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

setup user-based website space

useradd ron.amosa
passwd ron.amosa
mkdir -p /var/www/ronamosa.com/public_html
chown -R ron.amosa:ron.amosa /var/www/ronamosa.com/public_html

setup NGINX for ‘VirtualHosts’ aka Server Blocks

mkdir /etc/nginx/sites-available
mkdir /etc/nginx/sites-enabled

configure NGINX

vim /etc/nginx/nginx.conf

add after the ‘http{}’ block:

include /etc/nginx/sites-enabled/*.conf;
server_names_hash_bucket_size 64;

create block for the jekyll site

vim /etc/nginx/sites-available/ronamosa.com.conf

add this

server {
  listen       80;
  server_name  ronamosa.com www.ronamosa.com;
  location / {
    root   /var/www/ronamosa.com/public_html;
    index  index.html index.htm;
    try_files $uri $uri/ =404;
  }    
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   html;
  }
}

this will connect available sites to enabled sites: ln -s /etc/nginx/sites-available/ronamosa.com.conf /etc/nginx/sites-enabled/ronamosa.com.conf

restart nginx

systemctl restart nginx

note: you need to either add the FQDN to your /etc/hosts local to where you’re calling/testing from, or hax your DNS server to point (exmple) www.nginx.com to your new local.nginx.com site (in my case ronamosa.com)

SELinux issues

error : you get a 403 Forbidden when you try to browse to

[[email protected] ~]# tail /var/log/nginx/error.log
2017/10/20 18:39:26 [error] 1699#0: *14 "/var/www/ronamosa.com/public_html/index.html" is forbidden (13: Permission denied), client: 172.16.45.15, server: ronamosa.com, request: "GET / HTTP/1.1", host: "www.ronamosa.com"

get ‘setools’:

yum install -y setools

get semanage (comes with audit2allow):

[[email protected] ~]# yum provides /usr/sbin/semanage
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.wicks.co.nz
 * epel: mirror.xnet.co.nz
 * extras: ftp.wicks.co.nz
 * updates: ftp.wicks.co.nz
policycoreutils-python-2.5-17.1.el7.x86_64 : SELinux policy core python utilities
Repo        : base
Matched from:
Filename    : /usr/sbin/semanage

[[email protected] ~]# yum install -y policycoreutils-python-2.5-17.1.el7.x86_64

find selinux errors in log, use audit2allow to format out a fix:

[[email protected] ~]# grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx

check the output:

[[email protected] ~]# cat nginx

module nginx 1.0;

require {
        type httpd_t;
        type var_t;
        class file { getattr open read };
}

#============= httpd_t ==============

#!!!! WARNING: 'var_t' is a base type.
#!!!! The file '/var/www/ronamosa.com/public_html/index.html' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/www/ronamosa.com/public_html/index.html
allow httpd_t var_t:file { getattr open read };

_note: see the WARNING here? you can follow the recommendation and use restorecon… I didnt and that’s my mistake in hindsight. you live, you learn right? ;) _

create an compiled policy with the -M option:

grep nginx /var/log/audit/audit.log | audit2allow -M nginx
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i nginx.pp

let’s do it, and then check its installed :

[[email protected] ~]# semodule -i nginx.pp
[[email protected] ~]# semodule -l | grep nginx
nginx   1.0

go back to www.ronamosa.com and voila, its working :)

References