We have been successfully running Nginx installed from the official Nginx CentOS repositories for ages. Last night I upgraded two of my Nginx 1.6.0 servers from CentOS 6.5 to CentOS 6.6 and SELinux immediately broke just about everything with Nginx. At first it wouldn't let it read the SSL certs, then it wouldn't allow it to read the proxy upstream server. The only way I can get it working is to disable SELinux via setenforce 0, which is a no-no because these servers are internet facing.
I have a lengthy post in the CentOS forums which you can see here: https://www.centos.org/forums/viewtopic.php?f=13&t=49280
I will try and summarize some of the errors:
----
[root@host ssl]# service nginx restart
nginx: [emerg] BIO_new_file("/srv/ssl/cert-rekey/cert-rekey.crt") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/srv/ssl/cert-rekey/cert-rekey.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)
----
I was able to work around this by copying the files into /etc/nginx/ssl. Attempting to use a restorecon on /srv/ssl didn't resolve the issue. After making the change above, Nginx will successfully start, but then receives the following error when trying to proxy to my upstream server:
----
2014/10/29 20:35:27 [crit] 4407#0: *1 connect() to 10.0.3.15:8080 failed (13: Permission denied) while connecting to upstream, client: 10.0.6.102, server: dev.upstream, request: "GET /home HTTP/1.1", upstream: "http://10.0.3.15:8080/home", host: "dev.upstream.com"
----
In the latter case, disabling SELinux via setenforce 0 immediately resolves the issue, without restarting the Nginx daemon.
Another user in my CentOS thread is reporting the same behavior and I am seeing it on two independent Nginx servers as well. I attempted to uninstall and re-install the Nginx package via the Nginx yum repository (hoping it would restore the SELinux context) but that produced the same result.
Here is the output of ls -lrtZ /etc/nginx:
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 win-utf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 uwsgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 scgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 mime.types
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 koi-win
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 koi-utf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 fastcgi_params
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 nginx.conf.rpmsave
drw-------. root root unconfined_u:object_r:httpd_config_t:s0 ssl
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
-rw-r--r--. root root unconfined_u:object_r:httpd_config_t:s0 nginx.conf