NGINX on CentOS 7 with SELinux issues

Overview

Sometimes you just need a quick reference of the last time you did something seemingly easy but every time you come back to it you’re like… wtf?! Anyway, notes for those times.

install nginx from epel-release

yum install epel-release
yum -y install nginx
service nginx start
systemctl enable nginx

enable firewall-cmd

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

setup user-based website space

useradd ron.amosa
passwd ron.amosa
mkdir -p /var/www/ronamosa.com/public_html
chown -R ron.amosa:ron.amosa /var/www/ronamosa.com/public_html

setup NGINX for ‘VirtualHosts’ aka Server Blocks

mkdir /etc/nginx/sites-available
mkdir /etc/nginx/sites-enabled

configure NGINX

vim /etc/nginx/nginx.conf

add after the ‘http{}’ block:

include /etc/nginx/sites-enabled/*.conf;
server_names_hash_bucket_size 64;

create block for the jekyll site

vim /etc/nginx/sites-available/ronamosa.com.conf

add this

server {
  listen       80;
  server_name  ronamosa.com www.ronamosa.com;
  location / {
    root   /var/www/ronamosa.com/public_html;
    index  index.html index.htm;
    try_files $uri $uri/ =404;
  }    
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   html;
  }
}

this will connect available sites to enabled sites: ln -s /etc/nginx/sites-available/ronamosa.com.conf /etc/nginx/sites-enabled/ronamosa.com.conf

restart nginx

systemctl restart nginx

note: you need to either add the FQDN to your /etc/hosts local to where you’re calling/testing from, or hax your DNS server to point (exmple) www.nginx.com to your new local.nginx.com site (in my case ronamosa.com)

SELinux issues

error : you get a 403 Forbidden when you try to browse to

[[email protected] ~]# tail /var/log/nginx/error.log
2017/10/20 18:39:26 [error] 1699#0: *14 "/var/www/ronamosa.com/public_html/index.html" is forbidden (13: Permission denied), client: 172.16.45.15, server: ronamosa.com, request: "GET / HTTP/1.1", host: "www.ronamosa.com"

get ‘setools’:

yum install -y setools

get semanage (comes with audit2allow):

[[email protected] ~]# yum provides /usr/sbin/semanage
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.wicks.co.nz
 * epel: mirror.xnet.co.nz
 * extras: ftp.wicks.co.nz
 * updates: ftp.wicks.co.nz
policycoreutils-python-2.5-17.1.el7.x86_64 : SELinux policy core python utilities
Repo        : base
Matched from:
Filename    : /usr/sbin/semanage

[[email protected] ~]# yum install -y policycoreutils-python-2.5-17.1.el7.x86_64

find selinux errors in log, use audit2allow to format out a fix:

[[email protected] ~]# grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx

check the output:

[[email protected] ~]# cat nginx

module nginx 1.0;

require {
        type httpd_t;
        type var_t;
        class file { getattr open read };
}

#============= httpd_t ==============

#!!!! WARNING: 'var_t' is a base type.
#!!!! The file '/var/www/ronamosa.com/public_html/index.html' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/www/ronamosa.com/public_html/index.html
allow httpd_t var_t:file { getattr open read };

create an compiled policy with the -M option:

grep nginx /var/log/audit/audit.log | audit2allow -M nginx
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i nginx.pp

let’s do it, and then check its installed :

[[email protected] ~]# semodule -i nginx.pp
[[email protected] ~]# semodule -l | grep nginx
nginx   1.0

go back to www.ronamosa.com and voila, its working :)

References

nginx and selinux nginx on centos-7 Jekyll Documentation