Disabling SELinux in CentOS 7
At work, I use CentOS 7. I have Nginx running as a front-end reverse proxy to Unicorn.
After installing and configuring Nginx, it refused to start with the service command.
sudo service nginx restart
This was the error displayed:
$ sudo service nginx restart Redirecting to /bin/systemctl restart nginx.service Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details. $ sudo systemctl status nginx.service nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled) Active: failed (Result: exit-code) since .... Docs: http://nginx.org/en/docs/ Process: 9867 ExecStop=/bin/kill -s QUIT $MAINPID (code=exited, status=0/SUCCESS) Process: 9872 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE) Main PID: 2939 (code=exited, status=0/SUCCESS) .... systemd: Starting nginx - high performance web server... .... nginx: nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (13: Permission denied) .... nginx: nginx: configuration file /etc/nginx/nginx.conf test failed .... systemd: nginx.service: control process exited, code=exited status=1 .... systemd: Failed to start nginx - high performance web server. .... systemd: Unit nginx.service entered failed state.
That error shows up because SELinux was enabled in CentOS 7. SELinux has two components - the kernel mechanism which enforces access rules that apply to processes and files, and file labels. You can check the file labels with
Temporarily disable SELinux
To temporarily disable SELinux until the next server reboot, run this command:
sudo setenforce 0
Then, restart Nginx.
sudo service nginx restart
It ran successfully and I was able to view the Rails application.
Permanently disable SELinux
To disable SELinux permanently so that it continues to be disabled after a reboot, follow these steps.
Search for this line.
Change it to this:
Now, the change is permanent. After the server is rebooted, SELinux will continue to be disabled.
Okay, this is not the most secure solution, but for my applications, this is good enough. The correct way is configuring Nginx to work with SELinux enabled by setting it to PERMISSIVE. Unfortunately, I haven't done it at this time, but will update this post when I get to it.
Temporarily enable SELinux
To temporarily enable SELinux, run this command:
sudo setenforce 1
If your Nginx policy is not set, the Nginx process will be blocked from running.
Posted on 11 Feb 2016
If you liked this article, subscribe to our Feed, follow us on Twitter (@aruljohn) and/or join our Facebook Page.