Fixing 403 errors when using nginx with SELinux

published on

I was trying to configure up a new static content directory in nginx (so that I could use the letsencrypt webroot domain verification method), but kept getting 403 permission denied errors when accessing any files from the directory.

Eventually tracked it down to SELinux blocking access to the new directory that I'd created because it wasn't part of the policy applied to nginx.

The requests by nginx to read the file could be seen as being blocked in the /var/log/audit/audit.log file as:

type=SYSCALL msg=audit(1451621937.716:74556): arch=c000003e syscall=2 success=no exit=-13 a0=7ff62cb994ad a1=800 a2=0 a3=7ff62be64ed0 items=0 ppid=5698 pid=5699 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)  
type=AVC msg=audit(1451621939.616:74557): avc:  denied  { open } for  pid=5699 comm="nginx" path="/wwwroot/letsencrypt/.well-known/acme-challenge/foo.txt" dev="xvda1" ino=17646770 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

The quick fix: change the context of the new directory /wwwroot so that nginx can read it:

chcon -Rt httpd_sys_content_t /wwwroot

After making this change, nginx can then read the directory and will serve the files from it without any errors.

Checking the changes that were made: with a test file foo.txt in the directory, the original permissions before adding to context:

# ls -Z *
-rwxr--r--. root root unconfined_u:object_r:user_tmp_t:s0 foo.txt

New permissions after adding to context:

# ls -Z *
-rwxr--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 foo.txt

Useful references in sorting this out: