Nginx 无法创建日志文件 [英] Nginx can't create log files

问题描述

我刚刚在新的 CentOS 7 上安装了 nginx.
我的配置有这样的行:

I've just installed nginx on fresh CentOS 7.
My config has such lines:

access_log <path to log dir>/access.log;
error_log <path to log dir>/error.log error;

<log dir 的路径>的

所有部分都有 0777 权限.
Nginx 无法启动:

All parts of the <path to log dir> have 0777 permissions.
Nginx can't start:

[root@host dir]# systemctl start nginx.service
Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
[root@host dir]# systemctl status nginx.service
nginx.service - nginx - high performance web server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled)
   Active: failed (Result: exit-code) since Пт 2015-08-28 14:35:09 MSK; 39s ago
     Docs: http://nginx.org/en/docs/
  Process: 13026 ExecStop=/bin/kill -s QUIT $MAINPID (code=exited, status=0/SUCCESS)
  Process: 12883 ExecReload=/bin/kill -s HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 12936 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
  Process: 13493 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
 Main PID: 12938 (code=exited, status=0/SUCCESS)

авг 28 14:35:09 hostname systemd[1]: Starting nginx - high performance web server...
авг 28 14:35:09 hostname nginx[13493]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
авг 28 14:35:09 hostname nginx[13493]: nginx: [emerg] open() "<path to log dir>/access.log" failed (13: Permission denied)
авг 28 14:35:09 hostname nginx[13493]: nginx: configuration file /etc/nginx/nginx.conf test failed
авг 28 14:35:09 hostname systemd[1]: nginx.service: control process exited, code=exited status=1
авг 28 14:35:09 hostname systemd[1]: Failed to start nginx - high performance web server.
авг 28 14:35:09 hostname systemd[1]: Unit nginx.service entered failed state.

我能够开始的唯一方法是将 <path to log dir> 更改为/tmp".当然，这不是我想要的.另外，即使 nginx 已经启动，日志也没有出现在/tmp 中.

The only way I was able to start is when I've changed the <path to log dir> to "/tmp". Surely, this is not what I want. Also, even nginx has started, logs didn't appeared in /tmp.

我做错了什么?

谢谢.

UPD:
似乎 selinux 正在阻止 nginx.感谢@dusan.bajic

UPD:
seems that selinux is blocking nginx. thanks to @dusan.bajic

# grep -rin "nginx" audit.log
647:type=AVC msg=audit(1440761709.750:5189): avc:  denied  { write } for  pid=13493 comm="nginx" name="logs" dev="sda1" ino=67607894 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
648:type=SYSCALL msg=audit(1440761709.750:5189): arch=c000003e syscall=2 success=no exit=-13 a0=268bd96 a1=441 a2=1a4 a3=7fffd441ee50 items=0 ppid=1 pid=13493 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
649:type=SERVICE_START msg=audit(1440761709.752:5190): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="nginx" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
1087:type=AVC msg=audit(1440762687.672:5628): avc:  denied  { write } for  pid=13680 comm="nginx" name="logs" dev="sda1" ino=67607894 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
1088:type=SYSCALL msg=audit(1440762687.672:5628): arch=c000003e syscall=2 success=no exit=-13 a0=1503d96 a1=441 a2=1a4 a3=7ffdeb8313c0 items=0 ppid=1 pid=13680 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
1089:type=SERVICE_START msg=audit(1440762687.675:5629): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="nginx" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

解决方案:
http://axilleas.me/en/blog/2013/selinux-policy-for-nginx-and-gitlab-unix-socket-in-fedora-19/

setenforce 0
yum install -y policycoreutils-{python,devel}
grep nginx /var/log/audit/audit.log | audit2allow -M nginx
semodule -i nginx.pp
setenforce 1

续集:
Nginx 代表 root 创建日志文件

推荐答案

在这些情况下，首先要做的是检查selinux是否处于强制模式:

In these cases, the first thing to do is to check if selinux is in enforcing mode:

[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

如果是这样，检查审核日志.

这篇关于Nginx 无法创建日志文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！