Upgrade to 6.6 Changes Nginx/SELinux Interaction?

[mevans336]

I upgraded two of my keepalivd nginx load balancers to 6.6 tonight and suddenly, when starting nginx it can no longer access /srv/ssl/ where I keep my SSL certificates and keys.

Code: Select all

[root@host ssl]# service nginx restart
nginx: [emerg] BIO_new_file("/srv/ssl/cert-rekey/cert-rekey.crt") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/srv/ssl/cert-rekey/cert-rekey.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)

I've tried a restorecon -v -R /srv/ssl but I still receive the same error.

If I setenforce 0 nginx operates normally.

I copied the certs to /etc/nginx/ssl and the nginx daemon can now start, but half it's abilities are broken, again due to selinux:

Code: Select all

2014/10/29 20:35:27 [crit] 4407#0: *1 connect() to 10.0.3.15:8080 failed (13: Permission denied) while connecting to upstream, client: 10.0.6.102, server: dev.upstream, request: "GET /home HTTP/1.1", upstream: "http://10.0.3.15:8080/home", host: "dev.upstream.com"

Again, setenforce 0 immediately allows nginx to operate as before.

Nginx was installed from the official Nginx yum repo.

I'm not sure why this has worked fine on 6.5, but the upgrade to 6.6 has broken it on BOTH of my servers.

Any suggestions on where to start? I don't want to leave SELinux disabled since these servers are internet facing.

(EDIT)

Here is the output of ls -lrtZ /etc/nginx

Code: Select all

-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 win-utf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 uwsgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 scgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 mime.types
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 koi-win
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 koi-utf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 fastcgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 nginx.conf.rpmsave
drw-------. root root unconfined_u:object_r:httpd_config_t:s0 ssl
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
-rw-r--r--. root root unconfined_u:object_r:httpd_config_t:s0 nginx.conf

[gerald_clark]

The nginx available from epel is more likely to work correctly with CentOS.

[mevans336]

The nginx available from epel is more likely to work correctly with CentOS.

I agree and I will see if installing it from EPEL allows me to re-enable SELinux.

However, I'd still like to know why everything worked fine in 6.5, but upgrading to 6.6 broke it.

[tapash]

I also having the same since I have upgraded to 6.6
My nginx server is only functional if I set setenforce 0
Is there any disadvantages of disabling SElinux?

[mevans336]

I also having the same since I have upgraded to 6.6
My nginx server is only functional if I set setenforce 0
Is there any disadvantages of disabling SElinux?

Reduced security. I run it for the ability of it to reduce privilege escalation attacks, as those seem to be the most common.

See here: https://access.redhat.com/documentation ... ng_SELinux

[mevans336]

Update: The version available in EPEL is absolutely ancient. I'm guessing it was deprecated after Nginx released their official RHEL/CentOS repositories?

EPEL = 1.0.15
Nginx Stable = 1.6.0

Just for kicks I uninstalled and re-installed Nginx from the official Nginx yum repository and that didn't help the issue. I am planning to post in their forums as well.

[sercan]

I fixed it with the following commands, but I don't know if there is a better solution.

grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx.te
grep nginx /var/log/audit/audit.log | audit2allow -M nginx
semodule -i nginx.pp

This installs a new policy to SELinux for Nginx, so it stops blocking.

[mevans336]

I fixed it with the following commands, but I don't know if there is a better solution.

grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx.te
grep nginx /var/log/audit/audit.log | audit2allow -M nginx
semodule -i nginx.pp

This installs a new policy to SELinux for Nginx, so it stops blocking.

That did it for me as well. Thanks sercan. Does this save the policy so it survives a reboot?

[mevans336]

And here is the root cause, provided by the Nginx mailing list. The upgrade to 6.6 relables the security context for Nginx and prepends an httpd_:

http://forum.nginx.org/read.php?2,25445 ... msg-254473

So if you create any files/directories yourself (like a .conf file, or a folder for your SSL certs) they don't have the correct security context.

I'm not sure if this is a CentOS 6.6 issue or an Nginx issue (my knowledge of SELinux is pathetic ... perhaps it's time to pursue that RHCE after all), but the post by sercan resolves it for now. I'm going to post that solution to the mailing list (giving credit to sercan of course) to hopefully help whomever resolve this, so patching SELinux or upgrading to CentOS 6.7 doesn't break it all over again.

[sercan]

Yes it survives reboot. Sorry for the late reply.