nginx fails to start after user runs configuration check in unconfined SELinux context #816
Description
Environment
openSUSE Tumbleweed - Linux tumbleweed 6.15.8-1-default #1 SMP PREEMPT_DYNAMIC Thu Jul 24 07:19:58 UTC 2025 (e03d052) x86_64 x86_64 x86_64 GNU/Linux
nginx version: nginx/1.29.0
built by gcc 15.1.1 20250714 (SUSE Linux)
built with OpenSSL 3.5.1 1 Jul 2025
TLS SNI support enabled
configure arguments: --prefix=/usr/ --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/run/nginx.lock --http-client-body-temp-path=/var/lib/nginx/tmp/ --http-proxy-temp-path=/var/lib/nginx/proxy/ --http-fastcgi-temp-path=/var/lib/nginx/fastcgi/ --http-uwsgi-temp-path=/var/lib/nginx/uwsgi/ --http-scgi-temp-path=/var/lib/nginx/scgi/ --user=nginx --group=nginx --without-select_module --without-poll_module --with-threads --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl=/usr/bin/perl --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-pcre --with-pcre-jit --with-cc-opt='-O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -fPIC -D_GNU_SOURCE' --with-ld-opt='-Wl,-z,relro,-z,now -pie' --with-compat
Description
This is a SELinux issue. nginx fails to start due to permission denied errors on /run/nginx.pid, if the user first runs nginx -t:
tumbleweed:~ # nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
tumbleweed:~ # systemctl start nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
tumbleweed:~ # systemctl status nginx
x nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled)
Active: failed (Result: exit-code) since Wed 2025-07-30 11:50:27 CEST; 3s ago
Invocation: 605c3897c4284c60aeb7c86d5f8007e3
Process: 1812 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
CPU: 36ms
Jul 30 11:50:27 tumbleweed systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jul 30 11:50:27 tumbleweed nginx[1812]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 30 11:50:27 tumbleweed nginx[1812]: nginx: [emerg] open() "/run/nginx.pid" failed (13: Permission denied)
Jul 30 11:50:27 tumbleweed nginx[1812]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 30 11:50:27 tumbleweed systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul 30 11:50:27 tumbleweed systemd[1]: nginx.service: Failed with result 'exit-code'.
Jul 30 11:50:27 tumbleweed systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
The issue is, that nginx -t runs in an unconfined SELinux context and for some reason creates the /run/nginx.pid file. If the system afterwards tries to start and write the PID into the file, it cannot, because the SELinux policy forbids it (wrong context).
Relabelling or deleting the /run/nginx.pid file resolves the issue.
nginx configuration
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
server {
listen 80;
location / {
root /srv/www/htdocs;
index index.html index.htm;
}
}
}
nginx debug log
Jul 30 11:57:58 tumbleweed systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jul 30 11:57:58 tumbleweed nginx[1934]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 30 11:57:58 tumbleweed nginx[1934]: nginx: [emerg] open() "/run/nginx.pid" failed (13: Permission denied)
Jul 30 11:57:58 tumbleweed nginx[1934]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 30 11:57:58 tumbleweed systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul 30 11:57:58 tumbleweed systemd[1]: nginx.service: Failed with result 'exit-code'.
Jul 30 11:57:58 tumbleweed systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Further information
I'm not sure why nginx -t even touches or created /run/nginx.pid. Probably it shouldn't, as this is typically run from a different SELinux context. At least it should cleanup after it is running, but that is just speculation.
Thank you!