-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.7
-
None
-
None
-
None
-
rhel-stacks-web-servers
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
x86_64
-
None
What were you trying to do that didn't work?
I use OnlyOffice Document Server and run Nginx using configuration files provided by the DocServer provider.
What is the impact of this issue to you?
When a critical error occurs, nginx starts sending logs to /dev/null. This is rejected by SELinux, and configuration processing cannot continue.
This is a valid nginx configuration that should work.
Please provide the package NVR for which the bug is seen:
# rpm -qa | grep nginx nginx-filesystem-1.20.1-22.0.1.el9_6.3.noarch nginx-core-1.20.1-22.0.1.el9_6.3.x86_64 nginx-1.20.1-22.0.1.el9_6.3.x86_64 # rpm -qa | grep selinux-policy selinux-policy-38.1.65-1.0.1.el9.noarch selinux-policy-targeted-38.1.65-1.0.1.el9.noarch
How reproducible is this bug?:
always
Steps to reproduce
- dnf install nginx
- add `error_log /dev/null;` to nginx configuration
- systemctl start nginx
- produce any error
Expected results
nginx is allowed to write data to /dev/null
Actual results
SELinux is preventing /usr/sbin/nginx from setattr access on the chr_file null. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that nginx should be allowed setattr access on the null chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nginx' --raw | audit2allow -M my-nginx # semodule -X 300 -i my-nginx.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:null_device_t:s0 Target Objects null [ chr_file ] Source nginx Source Path /usr/sbin/nginx Port <Unknown> Host <Unknown> Source RPM Packages nginx-core-1.20.1-22.0.1.el9_6.3.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.65-1.0.1.el9.noarch Local Policy RPM selinux-policy-targeted-38.1.65-1.0.1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name owncloud.bp.local Platform Linux owncloud.bp.local 5.14.0-611.11.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Dec 1 12:50:30 PST 2025 x86_64 x86_64 Alert Count 3 First Seen 2025-12-19 00:00:07 +04 Last Seen 2025-12-21 00:00:06 +04 Local ID 80566e5f-2a0d-472c-99f9-44b79490dcab Raw Audit Messages type=AVC msg=audit(1766260806.809:64286): avc: denied { setattr } for pid=596444 comm="nginx" name="null" dev="devtmpfs" ino=4 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file permissive=0 type=SYSCALL msg=audit(1766260806.809:64286): arch=x86_64 syscall=chown success=no exit=EACCES a0=562b86ec54f2 a1=3e1 a2=ffffffff a3=0 items=0 ppid=1 pid=596444 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=chown AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: nginx,httpd_t,null_device_t,chr_file,setattr
