NGINX on CentOS 7 with SELinux issues

2 minute read

Quick setup of NGINX on CentOS 7, enable firewall and fix a few SELinux issues.

Sometimes you just need a quick reference of the last time you did something seemingly easy but every time you come back to it you’re like… wtf?! Anyway, notes for those times.

install nginx from epel-release

yum install epel-release
yum -y install nginx
service nginx start
systemctl enable nginx

enable firewall-cmd

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

setup user-based website space

useradd ron.amosa
passwd ron.amosa
mkdir -p /var/www/
chown -R ron.amosa:ron.amosa /var/www/

setup NGINX for ‘VirtualHosts’ aka Server Blocks

mkdir /etc/nginx/sites-available
mkdir /etc/nginx/sites-enabled

configure NGINX

vim /etc/nginx/nginx.conf

add after the ‘http{}’ block:

include /etc/nginx/sites-enabled/*.conf;
server_names_hash_bucket_size 64;

create block for the jekyll site

vim /etc/nginx/sites-available/

add this

server {
  listen       80;
  location / {
    root   /var/www/;
    index  index.html index.htm;
    try_files $uri $uri/ =404;
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   html;

this will connect available sites to enabled sites: ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/

restart nginx

systemctl restart nginx

note: you need to either add the FQDN to your /etc/hosts local to where you’re calling/testing from, or hax your DNS server to point (exmple) to your new site (in my case

SELinux issues

error : you get a 403 Forbidden when you try to browse to

[[email protected] ~]# tail /var/log/nginx/error.log
2017/10/20 18:39:26 [error] 1699#0: *14 "/var/www/" is forbidden (13: Permission denied), client:, server:, request: "GET / HTTP/1.1", host: ""

get ‘setools’:

yum install -y setools

get semanage (comes with audit2allow):

[[email protected] ~]# yum provides /usr/sbin/semanage
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
policycoreutils-python-2.5-17.1.el7.x86_64 : SELinux policy core python utilities
Repo        : base
Matched from:
Filename    : /usr/sbin/semanage

[[email protected] ~]# yum install -y policycoreutils-python-2.5-17.1.el7.x86_64

find selinux errors in log, use audit2allow to format out a fix:

[[email protected] ~]# grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx

check the output:

[[email protected] ~]# cat nginx

module nginx 1.0;

require {
        type httpd_t;
        type var_t;
        class file { getattr open read };

#============= httpd_t ==============

#!!!! WARNING: 'var_t' is a base type.
#!!!! The file '/var/www/' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/www/
allow httpd_t var_t:file { getattr open read };

note: see the WARNING here? you can follow the recommendation and use restorecon… I didnt and that’s my mistake in hindsight. you live, you learn right? ;)

create an compiled policy with the -M option:

grep nginx /var/log/audit/audit.log | audit2allow -M nginx
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i nginx.pp

let’s do it, and then check its installed :

[[email protected] ~]# semodule -i nginx.pp
[[email protected] ~]# semodule -l | grep nginx
nginx   1.0

go back to and voila, its working :)