背景
最近倒騰服務器的時候,選擇了CentOS7操作系統,在安裝配置Nginx的時候遇到了Permission Denied問題。按照chown和chmod進行配置無果,後來定位到SELinux問題。
SELinux是什麼?
When you upgrade a running system to Red Hat Enterprise Linux (RHEL) 6.6 or CentOS 6.6, the Security Enhanced Linux (SELinux) security permissions that apply to NGINX are relabelled to a much stricter posture. Although the permissions are adequate for the default configuration of NGINX, configuration for additional features can be blocked and you need to permit them explicitly in SELinux. This article describes the possible issues and recommended ways to resolve them.
Nginx安裝
按照如下配置,是可以正常啓動nginx,並且訪問到nginx的歡迎頁面。
# 添加nginx源
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# 安裝
sudo yum install -y nginx
# 啓動
systemctl start nginx.service
自定義配置
配置文件地址:
/etc/nginx/nginx.conf
自定義配置文件通常放到conf.d目錄下:
$nginx_conf/conf.d/default.conf
添加自定義項目配置
server {
listen 8081;
server_name localhost;
access_log /var/log/nginx/access.log main;
location / {
root /home/custom/web; # 自定義路徑
index index.html index.htm;
}
}
此時再啓動nginx程序,發現無法正常啓動。
systemctl start nginx
於是,使用nginx命令啓動,啓動正常,但是訪問頁面出現403權限問題。
nginx # nginx命令啓動
403權限問題日誌,可以查看到日誌信息。
2018/09/18 23:41:37 [error] 1266#1266: *1 "/home/custom/web/index.html" is forbidden (13: Permission denied), client: xxx.xxx.xxx.xxx, server: localhost, request: "GET / HTTP/1.1", xxx.xxx.xxx.xxx:8081"
通過網上查找資料,大家解決方法是使用root用戶啓動。需要修改nginx.conf文件。
# /etc/nginx/nginx.conf
#user nginx;
user root;
worker_processes 1;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
......
}
SELinux下如何配置
這樣用root用戶啓動程序,在生產環境下是強烈不建議的,存在很大的安全問題。所以需要繼續研究SELinux開啓下,如何進行配置。
在默認倉庫下,nginx能夠正常啓動。查看文件路徑信息,
ll -Zd /usr/share/nginx/html/
# drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /usr/share/nginx/html/
其中,system_u:object_r:httpd_sys_content_t:s0 是當前路徑的安全上下文配置。 通過chcon命令,設置新的目錄地址配置
chcon -Ru system_u /home/custom/web
chcon -Rt httpd_sys_content_t /home/custom/web
此時,將user設置回nginx,並且關閉SELinux下,是能夠正常訪問的。
setenforce 0
systemctl start nginx
但是,當開啓SELinux的時候,啓動,出現如下錯誤日誌:
[root@localhost mgzy]# systemctl start nginx
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[root@localhost mgzy]# systemctl status nginx.service
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 三 2018-09-19 03:07:23 CST; 7s ago
Docs: http://nginx.org/en/docs/
Process: 12298 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
9月 19 03:07:23 localhost.localdomain systemd[1]: Starting nginx - high performance web server...
9月 19 03:07:23 localhost.localdomain nginx[12298]: nginx: [emerg] open() "/etc/nginx/none" failed (13: Permission denied)
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
9月 19 03:07:23 localhost.localdomain systemd[1]: Failed to start nginx - high performance web server.
9月 19 03:07:23 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service failed.
日誌中,看到/etc/nginx/none文件,有點懵逼,但是Permission denied說明還是權限問題。此時通過nginx啓動後,能夠生成一個none文件。此時,需要執行如下命令:
# make the process type httpd_t permissive
semanage permissive -a httpd_t
至此,在SELinux下,配置nginx能夠正常工作。
其他說明
通過如下命令能夠查看到nginx依賴的安全信息。
# grep nginx /var/log/audit/audit.log | audit2allow -m nginx
module nginx 1.0;
require {
type httpd_t;
type unreserved_port_t;
type httpd_config_t;
class tcp_socket name_bind;
class file { append create };
class dir { add_name write };
}
#============= httpd_t ==============
allow httpd_t httpd_config_t:dir { add_name write };
allow httpd_t httpd_config_t:file { append create };