lots of tech info here

Disabling SELinux in CentOS 7

At work, I use CentOS 7. I have Nginx running as a front-end reverse proxy to Unicorn.

After installing and configuring Nginx, it refused to start with the service command.

  sudo service nginx restart 

This was the error displayed:

$ sudo service nginx restart
Redirecting to /bin/systemctl restart  nginx.service
Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.

$ sudo systemctl status nginx.service
nginx.service - nginx - high performance web server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled)
   Active: failed (Result: exit-code) since ....
     Docs: http://nginx.org/en/docs/
  Process: 9867 ExecStop=/bin/kill -s QUIT $MAINPID (code=exited, status=0/SUCCESS)
  Process: 9872 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
  Main PID: 2939 (code=exited, status=0/SUCCESS)

.... systemd[1]: Starting nginx - high performance web server...
.... nginx[9872]: nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (13: Permission denied)
.... nginx[9872]: nginx: configuration file /etc/nginx/nginx.conf test failed
.... systemd[1]: nginx.service: control process exited, code=exited status=1
.... systemd[1]: Failed to start nginx - high performance web server.
.... systemd[1]: Unit nginx.service entered failed state.

That error shows up because SELinux was enabled in CentOS 7. SELinux has two components - the kernel mechanism which enforces access rules that apply to processes and files, and file labels. You can check the file labels with ls -Z.

Temporarily disable SELinux

To temporarily disable SELinux until the next server reboot, run this command:

  sudo setenforce 0

Then, restart Nginx.

  sudo service nginx restart 

It ran successfully and I was able to view the Rails application.

Permanently disable SELinux

To disable SELinux permanently so that it continues to be disabled after a reboot, follow these steps.

Edit /etc/selinux/config

Search for this line.

  SELINUX=enforcing

Change it to this:

  SELINUX=disabled

Now, the change is permanent. After the server is rebooted, SELinux will continue to be disabled.

Okay, this is not the most secure solution, but for my applications, this is good enough. The correct way is configuring Nginx to work with SELinux enabled by setting it to PERMISSIVE. Unfortunately, I haven't done it at this time, but will update this post when I get to it.

Temporarily enable SELinux

To temporarily enable SELinux, run this command:

  sudo setenforce 1

If your Nginx policy is not set, the Nginx process will be blocked from running.

Posted on 11 Feb 2016

If you liked this article, subscribe to our Feed, follow us on Twitter (@aruljohn) and/or join our Facebook Page.

Share this with Others

Subscribe

Tags