Skip to main content

NGINX on CentOS 7 with SELinux issues

Quick setup of NGINX on CentOS 7, enable firewall and fix a few SELinux issues.

Sometimes you just need a quick reference of the last time you did something seemingly easy but every time you come back to it you're like... wtf?! Anyway, notes for those times.

install nginx from epel-release#

yum install epel-releaseyum -y install nginxservice nginx startsystemctl enable nginx

enable firewall-cmd#

sudo firewall-cmd --permanent --zone=public --add-service=httpsudo firewall-cmd --permanent --zone=public --add-service=httpssudo firewall-cmd --reload

setup user-based website space#

useradd ron.amosapasswd ron.amosamkdir -p /var/www/ronamosa.com/public_htmlchown -R ron.amosa:ron.amosa /var/www/ronamosa.com/public_html

setup NGINX for 'VirtualHosts' aka Server Blocks#

mkdir /etc/nginx/sites-availablemkdir /etc/nginx/sites-enabled

configure NGINX#

vim /etc/nginx/nginx.conf

add after the 'http{}' block:

include /etc/nginx/sites-enabled/*.conf;server_names_hash_bucket_size 64;

create block for the jekyll site#

vim /etc/nginx/sites-available/ronamosa.com.conf

add this

server {  listen       80;  server_name  ronamosa.com www.ronamosa.com;  location / {    root   /var/www/ronamosa.com/public_html;    index  index.html index.htm;    try_files $uri $uri/ =404;  }      error_page   500 502 503 504  /50x.html;  location = /50x.html {    root   html;  }}

create symlink#

this will connect available sites to enabled sites: ln -s /etc/nginx/sites-available/ronamosa.com.conf /etc/nginx/sites-enabled/ronamosa.com.conf

restart nginx#

systemctl restart nginx

note

You need to either add the FQDN to your /etc/hosts local to where you're calling/testing from, or hax your DNS server to point (exmple) www.nginx.com to your new local.nginx.com site **

SELinux issues#

error : you get a 403 Forbidden when you try to browse to

[[email protected] ~]# tail /var/log/nginx/error.log2017/10/20 18:39:26 [error] 1699#0: *14 "/var/www/ronamosa.com/public_html/index.html" is forbidden (13: Permission denied), client: 172.16.45.15, server: ronamosa.com, request: "GET / HTTP/1.1", host: "www.ronamosa.com"

get 'setools':

yum install -y setools

get semanage (comes with audit2allow):

[[email protected] ~]# yum provides /usr/sbin/semanageLoaded plugins: fastestmirrorLoading mirror speeds from cached hostfile * base: ftp.wicks.co.nz * epel: mirror.xnet.co.nz * extras: ftp.wicks.co.nz * updates: ftp.wicks.co.nzpolicycoreutils-python-2.5-17.1.el7.x86_64 : SELinux policy core python utilitiesRepo        : baseMatched from:Filename    : /usr/sbin/semanage
[[email protected] ~]# yum install -y policycoreutils-python-2.5-17.1.el7.x86_64

find selinux errors in log, use audit2allow to format out a fix:

[[email protected] ~]# grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx

check the output:

[[email protected] ~]# cat nginx
module nginx 1.0;
require {        type httpd_t;        type var_t;        class file { getattr open read };}
#============= httpd_t ==============
#!!!! WARNING: 'var_t' is a base type.#!!!! The file '/var/www/ronamosa.com/public_html/index.html' is mislabeled on your system.#!!!! Fix with $ restorecon -R -v /var/www/ronamosa.com/public_html/index.htmlallow httpd_t var_t:file { getattr open read };

note: see the WARNING here? you can follow the recommendation and use restorecon... I didnt and that's my mistake in hindsight. you live, you learn right? ;)

create an compiled policy with the -M option:

grep nginx /var/log/audit/audit.log | audit2allow -M nginx******************** IMPORTANT ***********************To make this policy package active, execute:
semodule -i nginx.pp

let's do it, and then check its installed :

[[email protected] ~]# semodule -i nginx.pp[[email protected] ~]# semodule -l | grep nginxnginx   1.0

go back to www.ronamosa.com and voila, its working :)

References#