Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

cb-nginx service fails to start with "permission denied" error

cb-nginx service fails to start with "permission denied" error

Version

4.1.2, 4.2.1.

 

Issue

The service cb-nginx fails to start with the following error:

Starting cb-nginx: nginx: [emerg] open() "/var/run/cb/nginx.runtime.user.prop" failed (13: Permission denied) in /etc/cb/nginx/cb-nginx.conf:17

[FAILED]

or

Starting cb-nginx: nginx: [emerg] open() "/var/run/cb/nginx.runtime.ssl_certificate.prop" failed (2: No such file or directory) in /etc/cb/nginx/conf.d/cb.conf:30

[FAILED]

Symptoms

  • No logs are written in /var/log/cb/nginx.
  • Access Denied is showing in /var/log/audit/audit.log:
    root@cb_server_lab02 nginx]# cat /var/log/audit/audit.log | grep nginx | grep deniedtype=AVC msg=audit(1414705710.509:130490): avc:  denied { read } for  pid=11731 comm="nginx" name="nginx.runtime.user.prop" dev=sda2 ino=1833402 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file

 

 

Cause

This will happen only when SELinux is enforced after a recent yum upgrade on CentOS/RedHat modifying SELinux default policies.

The latest SELinux package moves nginx into the https domain.

 

Solution

The solution applies to Carbon Black upgrades from versions earlier than 4.2.3 as this is fixed in version 4.2.3 and above.

  1. Edit the file /etc/cb/nginx/conf.d/cb.conf or /etc/cb/nginx/conf.d/cb-multihome.conf, depending which is used.
  2. Update the include statements to reference /var/cb/... instead of /var/run/cb/..., such that:
    include /var/run/cb/nginx/props/nginx.runtime.ssl_certificate.prop;

    Would be changed to:

    include /var/cb/nginx/props/nginx.runtime.ssl_certificate.prop;

    -- Perform this step for every include statement that point to /var/run/cb/...
  3. Start the cb-nginx service: service cb-nginx start

 

Important Note(s)

The solution applies to Carbon Black upgrades from versions earlier than 4.2.3 as this is fixed in version 4.2.3 and above.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-07-2015
Views:
1501
Contributors