Nginx doesn't start using systemctl

Question

I have defined a custom error_log for a virtual server inside it's directory like so:

server {
        listen 80;
        server_name www.example.com;
        root   /home/www.example.com;
        error_log /home/www.example.com/error.log;
}

this is my nginx.conf:

user  nginx;
pid  /run/nginx.pid;
worker_processes  1;

Nginx starts as root with it's commands with no problems:

nginx -t
nginx

But when I try to start it using systemctl it won't start and status shows this:

nginx: [emerg] open() "/home/www.example.com/error.log" failed (13: Permission denied)

This is my nginx.service :

[Unit]
Description=The nginx HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

I have almost tried anything like changing the user:group of the web directory to nginx:nginx. Even if I remove the error_log it starts using systemctl but it can't access the web directory although it's running under the same user.

I can't figure out why nginx can't access that directory when it's started with systemctl while it has access when it's started directly.

I'm on centos 7.

score 3 · Accepted Answer · edited Jul 20 '18 at 20:38

3

SELinux is probably not allowing nginx to access the/home directory. Try changing the root to /var/www as a test. Also when you are starting up nginx run journalctl -x in a different session to see the error messages and post them here.

edited Jul 20 '18 at 20:38

chicks

3,793
10
27
36

answered Mar 25 '15 at 13:00

Alfonso

101
2

I believe you are right, and SELinux causes the problem. But changing the directory didn't help. This is journal output: nginx[25596]: nginx: [emerg] open() "/var/www/www.example.com/error.log" failed (13: Permission denied) – Ali Mar 25 '15 at 13:13
1

I used this "semanage permissive -a httpd_t" and now it works. But I don't know the downside. – Ali Mar 25 '15 at 13:33
1

There should not be any downside with that - it is just changing the selinux context from **enforcing** to **permissive** which is fine for your scenario. Permissive mode just means that it will not enforce blocking access but it will still have the selinux labeling on (a good thing) and will still log when it _would have_ blocked access. – Alfonso Mar 25 '15 at 19:41
@Ali It didn't work because [you moved the files instead of copying them](https://serverfault.com/a/801732/126632). – Michael Hampton Nov 18 '17 at 01:59

score 0 · Answer 2 · answered May 10 '20 at 14:00

0

This is how I solved it according to nginx manual

#semanage permissive -a httpd_t

answered May 10 '20 at 14:00

Steve Yakovenko

117
7

score 0 · Answer 3 · answered Jul 20 '18 at 19:52

0

An answer to another question might help future finder running across this question; it provides a fair amount of detail related to web servers and SELinux : https://serverfault.com/a/551801/101931

answered Jul 20 '18 at 19:52

kbulgrien

434
1
7
17

score -2 · Answer 4 · answered Nov 18 '17 at 01:57

-2

Maybe the reason is SELinux.Try to edit /etc/sysconfig/selinux
// # SELINUX=enforcing
SELINUX=disabled
make the configure become effective immediately by rebooting

answered Nov 18 '17 at 01:57

yunfeng

1

Nginx doesn't start using systemctl

4 Answers4