selinux fail with Fedora Server 28 + Nginx => 403 forbidden
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 7 of 7
  1. #1
    Join Date
    May 2016
    Location
    usa
    Posts
    43
    Linux (Ubuntu) Firefox 62.0

    selinux fail with Fedora Server 28 + Nginx => 403 forbidden

    searching shows a lot of people besides ourselves having this problem on fedora server - fyi: does not occur on debian or ubuntu
    we have tried many of the "hack solutions" shown on SO - none work

    namei -om /var/www/oursite/public_html/website =>
    drwxr-xr-x root root var (same for each )

    1) we have reset total path permissions sudo chmod 0+x -R /var/www/oursite/public_html/website => 403 forbidden

    2) we changed sudo chown nginx:nginx /var/www/oursite/public_html/website => 403 forbidden

    3) changed nginx user to root => 403 forbidden

    4) sudo setenforce Permissive => works - but turning off selinux is obviously a security problem and since resets on reboot, any time server is rebooted, this has to be manually reset - unacceptable solution

    This seems a serious bug in selinux

  2. #2
    Join Date
    Oct 2011
    Posts
    1,865
    Linux Chrome 68.0.3440.106

    Re: selinux fail with Fedora Server 28 + Nginx => 403 forbidden

    Default path for html content is '/var/www/html/'. If you are making a custom path you also have to label the files correctly so that selinux knows what to allow. Pretty sure it is not a bug in selinux-policy since a web server is one of the most used software.

    https://access.redhat.com/documentat...labeling_files

  3. #3
    Join Date
    Oct 2011
    Posts
    1,865
    Linux Chrome 68.0.3440.106

    Re: selinux fail with Fedora Server 28 + Nginx => 403 forbidden

    On a second thought, from '/var/www/oursite', 'oursite' should inherit label from '/var/www'. Just running 'restorecon -R' on the on 'oursite' should do the trick. I suspect 'oursite' was copied from somewhere else, thus wrong label were copied with it.

  4. #4
    Join Date
    Feb 2015
    Location
    Colorado
    Posts
    16
    Linux Firefox 62.0

    Re: selinux fail with Fedora Server 28 + Nginx => 403 forbidden

    when you use a different root path for your data files, you have to let Nginx know the data files will now be in a different directory.
    You need to change a line in /etc/nginx/nginx.conf

    In the Server section of the conf file, I had the following directory as default
    root /usr/share/nginx/html;

    First I commented out with a # the above line, then added the next line
    # root /usr/share/nginx/html;
    root /server;

    I have the web server OS on a 60 GB SSD, then all my files for the web site on a second much larger SSD which I mount to mount point /server
    using /etc/fstab at boot up.
    After changing the nginx.conf file, use the chcon command to notify SElinux
    # chcon -Rt httpd_sys_content_t /server/*
    in my case.

    Pudge
    I try to think, but nothin' happens!

  5. #5
    Join Date
    May 2016
    Location
    usa
    Posts
    43
    Linux (Ubuntu) Firefox 62.0

    Re: selinux fail with Fedora Server 28 + Nginx => 403 forbidden

    thank you - using restorecon -R is working

    However, since many others have had this problem we should get the docs fixed - we did not use a "custom" path - we used the path shown in the example on the fedora nginx wiki page - if /var/www/html/ is the preferred path then the example should be fixed - also the default nginx welcome page is not on this path - it is /usr/share/nginx/html - this should be on the default path

    the fedora nginx example on the wiki should have a paragraph after explaining that selinux is sensitive to paths and problems can be resolved with the sudo restorecon -R /var/www/html/... (path to website) - this will save time and frustration for many people

    also there are 2 sources - the fedora ngninx developer portal - which does not have much besides the basic installation and then there is the fedora nginx wiki page - they may have different purposes but users should be directed to just one of them to eliminate confusion

    what is the best way to get these changes/additions added ? we are happy to contribute

  6. #6
    Join Date
    Feb 2015
    Location
    Colorado
    Posts
    16
    Linux Firefox 62.0
    P.S.

    If interested, I have a tutorial on setting up a simple static file home web server here
    https://pudges-place.ddns.net/FedoraServer/Install_Fedora_Webserver.pdf

    Pudge
    I try to think, but nothin' happens!

  7. #7
    Join Date
    Oct 2011
    Posts
    1,865
    Linux Chrome 68.0.3440.106

    Re: selinux fail with Fedora Server 28 + Nginx => 403 forbidden

    Labels should be fine if the files are created or copied because it will inherit the labels from parent directory, thus no further changes necessary. Moving the files does not update the labels, though. In addition, if SELinux is disabled may also cause the labels to not update...

    Don't know to what docs are you referring to, but I don't thing explaining how SELinux works everywhere is the right way. just mentioning it may be alright, possibly.

Similar Threads

  1. F27 Server + NGINX permission failures
    By tnsupport in forum Servers & Networking
    Replies: 0
    Last Post: 19th January 2018, 12:00 AM
  2. [SOLVED]
    Production and test nginx server same
    By karentutor in forum Using Fedora
    Replies: 1
    Last Post: 5th May 2017, 06:22 PM
  3. X 11 server fail to start in fedora 11 ?
    By shams in forum Hardware & Laptops
    Replies: 2
    Last Post: 28th July 2009, 12:14 PM
  4. HOWTO: Enabling SELinux to http: FORBIDDEN
    By xochilpili in forum Guides & Solutions (Not For Questions)
    Replies: 1
    Last Post: 14th June 2009, 08:00 PM
  5. Fedora 10 X-server fail
    By darien80 in forum Installation, Upgrades and Live Media
    Replies: 1
    Last Post: 19th April 2009, 05:41 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •