4

I have defined a custom error_log for a virtual server inside it's directory like so:

server {
        listen 80;
        server_name www.example.com;
        root   /home/www.example.com;
        error_log /home/www.example.com/error.log;
}

this is my nginx.conf:

user  nginx;
pid  /run/nginx.pid;
worker_processes  1;

Nginx starts as root with it's commands with no problems:

nginx -t
nginx

But when I try to start it using systemctl it won't start and status shows this:

nginx: [emerg] open() "/home/www.example.com/error.log" failed (13: Permission denied)

This is my nginx.service :

[Unit]
Description=The nginx HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

I have almost tried anything like changing the user:group of the web directory to nginx:nginx. Even if I remove the error_log it starts using systemctl but it can't access the web directory although it's running under the same user.

I can't figure out why nginx can't access that directory when it's started with systemctl while it has access when it's started directly.

I'm on centos 7.

Improve this question

4 Answers 4

Reset to default
3

SELinux is probably not allowing nginx to access the/home directory. Try changing the root to /var/www as a test. Also when you are starting up nginx run journalctl -x in a different session to see the error messages and post them here.

Improve this answer
4
  • I believe you are right, and SELinux causes the problem. But changing the directory didn't help. This is journal output: nginx[25596]: nginx: [emerg] open() "/var/www/www.example.com/error.log" failed (13: Permission denied) Commented Mar 25, 2015 at 13:13
  • 1
    I used this "semanage permissive -a httpd_t" and now it works. But I don't know the downside. Commented Mar 25, 2015 at 13:33
  • 1
    There should not be any downside with that - it is just changing the selinux context from enforcing to permissive which is fine for your scenario. Permissive mode just means that it will not enforce blocking access but it will still have the selinux labeling on (a good thing) and will still log when it would have blocked access. Commented Mar 25, 2015 at 19:41
  • @Ali It didn't work because you moved the files instead of copying them. Commented Nov 18, 2017 at 1:59
0

An answer to another question might help future finder running across this question; it provides a fair amount of detail related to web servers and SELinux : https://serverfault.com/a/551801/101931

Improve this answer
0

This is how I solved it according to nginx manual

#semanage permissive -a httpd_t
Improve this answer
-2

Maybe the reason is SELinux.Try to edit /etc/sysconfig/selinux
// # SELINUX=enforcing
SELINUX=disabled
make the configure become effective immediately by rebooting

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.