CODEWITHSUNDEEP
nginxpermissionsvagrantcentos7
jwtea
jwtea

Reputation: 464

403 permission denied nginx, vagrant, centos

I am having trouble setting up my basic vagrant VM to serve some content. Nginx is saying it does not have permission to serve the index for my project folder. I have tried setting all permissions to 777 for the project directory and changing the Nginx user to vagrant.

I am unsure but from reading around apparently SELinux may be causing issues as it is enabled on the server and there are lines in the /var/log/audit/audit.log like this:

type=AVC msg=audit(1471185070.388:854): avc:  denied  { getattr } for  pid=4653 comm="nginx" path="/var/www/project/index.html" dev="0:37" ino=12161210 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file

My nginx configuration looks like this: 

server {
    listen 80 default_server;
    server_name knifesprinter.local;
    index index.html;

    location /{
        root /var/www/project;
        autoindex on;
    }

    error_page  404              /404.html;
    location = /404.html {
    root   /usr/share/nginx/html;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

And all permissions to /var/www/project are allowed. Does someone know what the deal is here? I have setup a few servers with Nginx before but not on CentOS 7

Upvotes: 0

Views: 936

Answers (1)

Keenan Lawrence
Keenan Lawrence

Reputation: 1464

Yip, definitely a SELinux issue. Please, please don't disable SELinux by setting enforce to 0. You can allow Nginx access using audit2allow. This will generate a policy for you which you can apply using semodule. You'll need to run the following as root. You could sudo the commands, but you'll encounter an issue with semodule.

Firstly, if your system doesn't have audit2allow:

yum install policycoreutils-python

Next, create the policy:

grep httpd /var/log/audit/audit.log | audit2allow -M mypol

Then apply the policy:

semodule -i mypol.pp

It's worthwhile noting that audit2allow may give more access than needed. If you're concered about that, you may also use restorecon or chcon in certain cases.

I hope this helps.

Upvotes: 3

Related Questions