nginx says forbidden, user nginx at fedora

https://stackoverflow.com/questions/23602265

20-07-2023
|

Question

I'm confused

2014/05/12 09:36:51 [error] 25928#0: *1 open() "/home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages/test.html" failed (13: Permission denied), client: 128.68.154.57, server: localhost, request: "GET /test.html HTTP/1.1"

here is permissions

[root@vsfedora OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64]# namei -l /home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages/test.html
f: /home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages/test.html
dr-xr-xr-x root root /
drwxr-xr-x root root home
drwxrwx--- dev  dev  dev
drwxr-xr-x dev  dev  OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64
drwxr-xr-x dev  dev  packages
-rw-rw-r-- dev  dev  test.html

here is group

dev:x:1000:nginx

nginx worker process working as nginx user

[root@vsfedora ~]# ps aux|grep nginx
root     26494  0.0  0.3 111588  3796 ?        Ss   11:07   0:00 nginx: master process /usr/sbin/nginx
nginx    26495  0.0  0.5 111932  5116 ?        S    11:07   0:00 nginx: worker process

server section in nginx.conf:

server {
        location / {
        autoindex  on;
        root /usr/share/nginx/html;
}

symlink is also fine

lrwxrwxrwx. 1 0 0   65 May 12 10:10 packages -> /home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages

Solution

it's a SELinux issue

tail /var/log/audit/audit.log

type=AVC msg=audit(1399879586.183:2081199): avc:  denied  { search } for  pid=26495 comm="nginx" name="dev" dev="dm-1" ino=269277 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1399879586.183:2081199): arch=c000003e syscall=2 success=no exit=-13 a0=7fdd65ed2219 a1=800 a2=0 a3=0 items=0 ppid=26494 pid=26495 auid=4294967295 uid=996 gid=1000 euid=996 suid=996 fsuid=996 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)

detailed explanation and resolution can be found here

OTHER TIPS

Per documentation on user directive, nginx uses group name equal to user name if you omit group name. So you have to explicitly use user nginx dev; in your nginx.conf.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow