selinux環境でnginxのインストールと起動

install

• リポジトリ追加してインストール

# vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

# yum install nginx

selinux有効な環境でPermission denied

• systemctrl start nginx した時に下記エラーで起動できない場合

2018/01/30 19:52:00 [emerg] 4954#4954: open() "/var/run/nginx.pid" failed (13: Permission denied)

• 拒否ログからselinuxのポリシー作ってインストールする

# yum install policycoreutils-python

# grep "denied" /var/log/audit/audit.log
type=AVC msg=audit(1517341920.540:924): avc:  denied  { read write } for  pid=4954 comm="nginx" name="nginx.pid" dev="tmpfs" ino=33864 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
# 

# cat /var/log/audit/audit.log | audit2allow -m nginx_read-write > nginx_read-write.te
# cat nginx_read-write.te 

module nginx_read-write 1.0;

require {
    type var_run_t;
    type httpd_t;
    class file { read write };
}

#============= httpd_t ==============

#!!!! WARNING 'httpd_t' is not allowed to write or create to var_run_t.  Change the label to httpd_var_run_t.
allow httpd_t var_run_t:file { read write };
# 

# checkmodule -M -m -o nginx_read-write.mod nginx_read-write.te
checkmodule:  loading policy configuration from nginx_read-write.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 17) to nginx_read-write.mod
# 

# semodule_package -o nginx_read-write.pp -m nginx_read-write.mod
# semodule -i nginx_read-write.pp 
# semodule -l | grep nginx
nginx_read-write    1.0

もっといい方法がありそうな気がする。。