๐จ SELinux: NGINX Fails to Start After Update (Cert Access Denied)
Symptom:
After running dnf update, nginx fails to restart.
Even though nginx -t passes, you get:
Job for nginx.service failed because the control process exited with error code.
โ Root Cause
SELinux has blocked nginx from accessing one of your certificate files (star_fullchain.crt), likely due to a label mismatch after updates or file changes.
๐ Confirm with:
journalctl -xe | grep nginxYouโll see something like:
SELinux is preventing nginx from reading /etc/pki/nginx/star_fullchain.crt๐ ๏ธ Fix It (TL;DR)
sudo restorecon -Rv /etc/pki/nginx
sudo systemctl restart nginxThis resets SELinux labels to what nginx expects.
๐ง Optional: Full Analysis with sealert
If setroubleshoot is installed:
sealert -a /var/log/audit/audit.log
This will explain the exact denial and recommend a fix (e.g., restorecon, semanage, etc.)
If not installed:
sudo dnf install setroubleshoot-server
sudo systemctl enable --now setroubleshootd๐งช Show Labels for Debugging
ls -Z /etc/pki/nginxCorrect label for certs is typically:
cert_t๐ Do NOT Disable SELinux
The proper fix is to correct the label, not to weaken security.
๐ฌ Summary
|
Step |
Command |
|---|---|
|
Check logs |
|
|
Fix labels |
|
|
Full audit help |
|
|
Restart nginx |
|
๐ฐ
- Log in to post comments