Nginx says open() "/etc/nginx/conf.d/foo.conf" failed (13: Permission denied)

Here is what I have in ls -al /etc/nginx:

total 52
drwxr-xr-x.  4 root root 4096 Jul 28 04:16 .
drwxr-xr-x. 78 root root 8192 Jul 28 03:37 ..
drwxr-xr-x.  2 root root   26 Jul 28 03:55 conf.d
drwxr-xr-x.  2 root root    6 May 10 09:21 default.d
-rw-r--r--.  1 root root 1034 May 10 09:21 fastcgi.conf
-rw-r--r--.  1 root root  964 May 10 09:21 fastcgi_params
-rw-r--r--.  1 root root 2837 May 10 09:21 koi-utf
-rw-r--r--.  1 root root 2223 May 10 09:21 koi-win
-rw-r--r--.  1 root root 3957 May 10 09:21 mime.types
-rw-r--r--.  1 root root 1033 Jul 28 03:43 nginx.conf
-rw-r--r--.  1 root root  596 May 10 09:21 scgi_params
-rw-r--r--.  1 root root  623 May 10 09:21 uwsgi_params
-rw-r--r--.  1 root root 3610 May 10 09:21 win-utf

This is what I see /var/log/nginx/error.log after sudo service nginx start:

[emerg] 20360#0: open() "/etc/nginx/conf.d/foo.conf" failed
(13: Permission denied) in /etc/nginx/nginx.conf:33

This is what I have in ls -al /etc/nginx/conf.d/:

$ ls -al /etc/nginx/conf.d/
total 8
drwxr-xr-x. 2 root root   26 Jul 28 03:55 .
drwxr-xr-x. 4 root root 4096 Jul 28 04:16 ..
-rw-r--r--. 1 root root  230 Jul 28 03:50 foo.conf

What’s wrong?

Asked By: yegor256


When you are getting permission denied errors on file access etc. for unknown reason, it might be related to SELinux. Especially when you see a period following permissions like drwxr-xr-x. shown by ls -l for the file/dir in question, they could be mislabeled (you can see it by ls -Z) and cause the problem.

You should first check current SELinux mode by running getenforce. If it says Enforcing, then temporarily set the mode to Permissive by running setenforce 0, and see if your application works afterwards.

Please consult your distribution’s guide on SELinux for permanent fix, including setting the SELinux mode on start up, relabeling files or directories, updating policies, etc. Here’s Howto for CentOS.

Answered By: yaegashi

Altering whole SElinux is not always the right answer. I’m not an expert but i’d compare it with disabling firewall if a port is not accessible.

Other quick solution could be to “restore SE context” of files, especially if those are copied from somewhere.

See for more details.

These are commands worth to try before disabling SElinux

sudo restorecon  /etc/nginx/conf.d/
sudo restorecon  /etc/nginx/conf.d/*
Answered By: Lauri

A Better way than disabling selinux is to use the command

semanage permissive -a httpd_t

That will allow toe nginx service to pass without completely disabling selinux

More info on

However for me running the command chcon -v --type=httpd_sys_content_t /etc/nginx/* and it worked properly without needing to excempt httpd_t

Answered By: Cyber Axe
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.