目标:在LNMP环境中构建Wordpress网站。
其中:
- Nginx和PHP安装在网站服务器(web01)
- MariaDB安装在数据库服务器(db01)
- Wordpress目录挂载于存储服务器(nfs01)
Nginx
根据官网文档http://nginx.org/en/linux_packages.html#RHEL-CentOS
安装软件:
[root@web01 ~]# vi /etc/yum.repos.d/nginx.repo
[root@web01 ~]# cat /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[root@web01 ~]# dnf install nginx
Repository AppStream is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository PowerTools is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
CentOS-8 - Base - mirrors.aliyun.com 36 kB/s | 3.9 kB 00:00
CentOS-8 - Extras - mirrors.aliyun.com 16 kB/s | 1.5 kB 00:00
Extra Packages for Enterprise Linux Modular 8 - x86_64 26 kB/s | 3.0 kB 00:00
Extra Packages for Enterprise Linux 8 - x86_64 17 kB/s | 4.7 kB 00:00
nginx stable repo 17 kB/s | 16 kB 00:00
Dependencies resolved.
=============================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================
Installing:
nginx x86_64 1:1.18.0-1.el8.ngx nginx-stable 806 k
Transaction Summary
=============================================================================================================================================================================
Install 1 Package
Total download size: 806 k
Installed size: 3.6 M
Is this ok [y/N]:
配置防火墙:
[root@web01 ~]# firewall-cmd --zone=public --permanent --add-service=http
success
[root@web01 ~]# firewall-cmd --zone=public --permanent --add-service=https
success
[root@web01 conf.d]# firewall-cmd --reload
success
[root@web01 ~]# systemctl start nginx
[root@web01 ~]# systemctl enable nginx
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service.
[root@web01 ~]#
检查Nginx是否正常:
编写配置文件:
[root@web01 ~]# cd /etc/nginx/conf.d/
[root@web01 conf.d]# cp default.conf{,.bak}
[root@web01 conf.d]# grep -Ev '^$|#' default.conf.bak > default.conf
[root@web01 conf.d]# cat default.conf
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
[root@web01 conf.d]# cp default.conf cloudbarn.conf
[root@web01 conf.d]# vi cloudbarn.conf
[root@web01 conf.d]# cat cloudbarn.conf
server {
listen 80;
server_name cloudbarn.com www.cloudbarn.com;
location / {
root /usr/share/nginx/html/cloudbarn;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
[root@web01 conf.d]# mkdir /usr/share/nginx/html/cloudbarn
[root@web01 conf.d]# echo "Today is a nice day" > /usr/share/nginx/html/cloudbarn/index.html
[root@web01 conf.d]# systemctl restart nginx
PHP
安装软件:
[root@web01 conf.d]# dnf install php php-fpm php-mysqlnd php-json
Repository AppStream is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository PowerTools is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Last metadata expiration check: 0:27:24 ago on Tue 08 Sep 2020 07:59:28 PM CST.
Dependencies resolved.
=============================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================
Installing:
php x86_64 7.2.24-1.module_el8.2.0+313+b04d0a66 AppStream 1.5 M
php-fpm x86_64 7.2.24-1.module_el8.2.0+313+b04d0a66 AppStream 1.6 M
Installing dependencies:
apr x86_64 1.6.3-9.el8 AppStream 125 k
apr-util x86_64 1.6.1-6.el8 AppStream 105 k
centos-logos-httpd noarch 80.5-2.el8 base 24 k
...... omitted for brevity
Transaction Summary
=============================================================================================================================================================================
Install 15 Packages
Total download size: 9.2 M
Installed size: 31 M
Is this ok [y/N]:
配置PHP-FPM开机自启动:
[root@web01 ~]# systemctl enable php-fpm.service
Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service → /usr/lib/systemd/system/php-fpm.service.
[root@web01 ~]# systemctl start php-fpm.service
[root@web01 ~]#
编写网站配置文件:
[root@web01 conf.d]# cat cloudbarn.conf
server {
listen 80;
server_name cloudbarn.com www.cloudbarn.com;
# note that these lines are originally from the "location /" block
root /usr/share/nginx/html/cloudbarn;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[root@web01 conf.d]# systemctl restart nginx
编写测试页面:
[root@web01 conf.d]# echo '<?php phpinfo() ?>' > /usr/share/nginx/html/cloudbarn/index.html
[root@web01 conf.d]# mv /usr/share/nginx/html/cloudbarn/index{.html,.php}
MaraiDB
注意:此处切换数据库服务器
安装软件:
[root@db01 ~]# dnf install mariadb-server
Repository AppStream is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository PowerTools is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
CentOS-8 - Base - mirrors.aliyun.com 29 kB/s | 3.9 kB 00:00
CentOS-8 - Extras - mirrors.aliyun.com 15 kB/s | 1.5 kB 00:00
Extra Packages for Enterprise Linux Modular 8 - x86_64 20 kB/s | 3.0 kB 00:00
Extra Packages for Enterprise Linux 8 - x86_64 56 kB/s | 4.7 kB 00:00
Dependencies resolved.
=============================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================
Installing:
mariadb-server x86_64 3:10.3.17-1.module_el8.1.0+257+48736ea6 AppStream 16 M
Installing dependencies:
mariadb x86_64 3:10.3.17-1.module_el8.1.0+257+48736ea6 AppStream 6.1 M
mariadb-common x86_64 3:10.3.17-1.module_el8.1.0+257+48736ea6 AppStream 62 k
mariadb-connector-c x86_64 3.0.7-1.el8 AppStream 148 k
...... omitted for brevity
Transaction Summary
=============================================================================================================================================================================
Install 55 Packages
Total download size: 44 M
Installed size: 209 M
Is this ok [y/N]:
启动服务:
[root@db01 ~]# systemctl enable mariadb
Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.
[root@db01 ~]# systemctl start mariadb
[root@db01 ~]#
初始化:
[root@db01 ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@db01 ~]#
配置数据库:
[root@db01 ~]# mysql -uroot -pabcd1234..
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 10.3.17-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database cloudbarn;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> grant all on cloudbarn.* to 'webuser'@'192.168.1.%' identified by 'abcd1234..';
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]>
配置防火墙:
[root@db01 ~]# firewall-cmd --zone=public --permanent --add-service=mysql
success
[root@db01 ~]# firewall-cmd --reload
success
[root@db01 ~]#
Wordpress
注意:此处切换至存储服务器
在NFS服务器上创建挂载目录(该目录被多个网站服务器共享):
[root@nfs01 ~]# cat /etc/exports
/data/web01 web01(rw)
/data/cloudbarn web0[1-3](rw,anonuid=993,anongid=990)
[root@nfs01 ~]# groupadd nginx -g 990
[root@nfs01 ~]# useradd nginx -M -s /sbin/nologin -u 993 -g 990
[root@nfs01 ~]# mkdir /data/cloudbarn
保持NFS目录权限和网站服务器的Nginx进程用户一致:
[root@web01 ~]# id nginx
uid=993(nginx) gid=990(nginx) groups=990(nginx)
[root@web01 ~]#
下载Wordpress:
[root@nfs01 ~]# wget https://wordpress.org/latest.tar.gz
--2020-09-09 09:53:25-- https://wordpress.org/latest.tar.gz
Resolving wordpress.org (wordpress.org)... 198.143.164.252
Connecting to wordpress.org (wordpress.org)|198.143.164.252|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12983648 (12M) [application/octet-stream]
Saving to: ‘latest.tar.gz’
latest.tar.gz 26%[======================> ] 3.33M 114KB/s eta 1m 57s
配置网站目录:
[root@nfs01 ~]# tar -zxf latest.tar.gz -C /data/cloudbarn/
[root@nfs01 ~]# mv /data/cloudbarn/wordpress/* /data/cloudbarn/
[root@nfs01 ~]# rmdir /data/cloudbarn/wordpress/
[root@nfs01 ~]# chown -Rf nginx.nginx /data/cloudbarn/
[root@nfs01 ~]# exportfs -ra
[root@nfs01 ~]#
进行目录挂载:
[root@web01 ~]# vi /etc/fstab
[root@web01 ~]# tail -5 /etc/fstab
/dev/mapper/cl-swap swap swap defaults 0 0
# NFS backup dir
nfs01:/data/web01 /daily_bak nfs defaults 0 0
# NFS web dir
nfs01:/data/cloudbarn /usr/share/nginx/html/cloudbarn nfs defaults 0 0
[root@web01 ~]# mount -a
[root@web01 ~]# ls /usr/share/nginx/html/cloudbarn/
index.php readme.html wp-admin wp-comments-post.php wp-content wp-includes wp-load.php wp-mail.php wp-signup.php xmlrpc.php
license.txt wp-activate.php wp-blog-header.php wp-config-sample.php wp-cron.php wp-links-opml.php wp-login.php wp-settings.php wp-trackback.php
[root@web01 ~]#
初始化Wordpress:
查看日志:
[root@web01 ~]# journalctl -xe
Sep 09 16:14:51 web01 setroubleshoot[14725]: failed to retrieve rpm info for /usr/share/nginx/html/cloudbarn/wp-admin/post.php
Sep 09 16:14:51 web01 setroubleshoot[14725]: SELinux is preventing php-fpm from open access on the file /usr/share/nginx/html/cloudbarn/wp-admin/post.php. For complete SELinux messages run: sealert -l 2c02f4bd-17b9-4ca4-88a2-5903117a1638
Sep 09 16:14:51 web01 platform-python[14725]: SELinux is preventing php-fpm from open access on the file /usr/share/nginx/html/cloudbarn/wp-admin/post.php.
***** Plugin catchall_boolean (47.5 confidence) suggests ******************
If you want to allow httpd to use nfs
Then you must tell SELinux about this by enabling the 'httpd_use_nfs' boolean.
Do
setsebool -P httpd_use_nfs 1
***** Plugin catchall_boolean (47.5 confidence) suggests ******************
If you want to allow git to system use nfs
Then you must tell SELinux about this by enabling the 'git_system_use_nfs' boolean.
Do
setsebool -P git_system_use_nfs 1
***** Plugin catchall (6.38 confidence) suggests **************************
If you believe that php-fpm should be allowed open access on the post.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
Sep 09 16:14:58 web01 dbus-daemon[954]: [system] Reloaded configuration
Sep 09 16:14:58 web01 setsebool[14745]: The httpd_use_nfs policy boolean was changed to 1 by root
lines 3306-3363/3363 (END)
设置SELinux允许Nginx使用NFS:
[root@web01 ~]# setsebool -P httpd_use_nfs 1
[root@web01 ~]#
配置数据库:
无法连接数据库:
确认不是配置文件的问题:
[root@web01 ~]# mysql -u webuser -h db01 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 163
Server version: 10.3.17-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
查看SELinux日志(使用tail -f
命令追踪日志文件,先回车两行然后刷新页面):
[root@web01 ~]# tail -f /var/log/audit/audit.log
type=MAC_CONFIG_CHANGE msg=audit(1599634427.493:256): bool=httpd_use_nfs val=1 old_val=0 auid=0 ses=6AUID="root"
type=USER_AVC msg=audit(1599634427.501:257): pid=954 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1599634430.314:258): pid=954 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=MAC_POLICY_LOAD msg=audit(1599634428.557:259): auid=0 ses=6 lsm=selinux res=1AUID="root"
type=AVC msg=audit(1599634431.181:260): avc: denied { read } for pid=11880 comm="php-fpm" name="hosts" dev="dm-0" ino=16785789 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599634492.965:261): avc: denied { read } for pid=11881 comm="php-fpm" name="hosts" dev="dm-0" ino=16785789 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599634493.011:262): avc: denied { name_connect } for pid=11881 comm="php-fpm" dest=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1599634493.018:263): avc: denied { read } for pid=11881 comm="php-fpm" name="hosts" dev="dm-0" ino=16785789 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599634493.055:264): avc: denied { name_connect } for pid=11881 comm="php-fpm" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1599634577.318:265): avc: denied { read } for pid=11884 comm="php-fpm" name="hosts" dev="dm-0" ino=16785789 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599634909.022:266): avc: denied { read } for pid=11880 comm="php-fpm" name="hosts" dev="dm-0" ino=16785789 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
确认SELinux配置问题,进行日志分析:
[root@web01 ~]# journalctl -t setroubleshoot
-- Logs begin at Tue 2020-09-08 15:49:54 CST, end at Wed 2020-09-09 15:07:18 CST. --
Sep 09 15:07:15 web01 setroubleshoot[13246]: SELinux is preventing php-fpm from read access on the file hosts. For complete SELinux messages run: sealert -l ff56c7be-33fd-4131-b9ac-923b00e62773
Sep 09 15:07:17 web01 setroubleshoot[13246]: SELinux is preventing php-fpm from read access on the file hosts. For complete SELinux messages run: sealert -l ff56c7be-33fd-4131-b9ac-923b00e62773
[root@web01 ~]#
执行日志事件分析:
[root@web01 ~]# sealert -l ff56c7be-33fd-4131-b9ac-923b00e62773
SELinux is preventing php-fpm from read access on the file hosts.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that php-fpm should be allowed read access on the hosts file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects hosts [ file ]
Source php-fpm
Source Path php-fpm
Port <Unknown>
Host web01
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-41.el8_2.5.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name web01
Platform Linux web01 4.18.0-193.14.2.el8_2.x86_64 #1 SMP
Sun Jul 26 03:54:29 UTC 2020 x86_64 x86_64
Alert Count 2
First Seen 2020-09-09 15:07:08 CST
Last Seen 2020-09-09 15:07:11 CST
Local ID ff56c7be-33fd-4131-b9ac-923b00e62773
Raw Audit Messages
type=AVC msg=audit(1599635231.998:364): avc: denied { read } for pid=11917 comm="php-fpm" name="hosts" dev="dm-0" ino=16785789 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
Hash: php-fpm,httpd_t,admin_home_t,file,read
执行提示指令:
[root@web01 ~]# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-phpfpm.pp
[root@web01 ~]# semodule -i my-phpfpm.pp
[root@web01 ~]#
仍显示连接异常:
[root@web01 ~]# journalctl -t setroubleshoot
-- Logs begin at Tue 2020-09-08 15:49:54 CST, end at Wed 2020-09-09 15:13:01 CST. --
Sep 09 15:07:15 web01 setroubleshoot[13246]: SELinux is preventing php-fpm from read access on the file hosts. For complete SELinux messages run: sealert -l ff56c7be-33fd-4131-b9ac-923b00e62773
Sep 09 15:07:17 web01 setroubleshoot[13246]: SELinux is preventing php-fpm from read access on the file hosts. For complete SELinux messages run: sealert -l ff56c7be-33fd-4131-b9ac-923b00e62773
Sep 09 15:12:58 web01 setroubleshoot[13307]: Deleting alert ff56c7be-33fd-4131-b9ac-923b00e62773, it is allowed in current policy
Sep 09 15:13:00 web01 setroubleshoot[13307]: SELinux is preventing php-fpm from open access on the file /etc/hosts. For complete SELinux messages run: sealert -l 51f5e519-d3ac-44d5-8e5e-1cdb0467e29e
[root@web01 ~]#
样板机是在/root目录下新建并编写好hosts文件mv到/etc目录下的。
PHP-FPM进程无法读取hosts文件,正确操作应该是恢复其默认文件类型:
[root@web01 ~]# sealert -l 51f5e519-d3ac-44d5-8e5e-1cdb0467e29e
SELinux is preventing php-fpm from open access on the file /etc/hosts.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/etc/hosts default label should be net_conf_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /etc/hosts
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that php-fpm should be allowed open access on the hosts file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects /etc/hosts [ file ]
Source php-fpm
Source Path php-fpm
Port <Unknown>
Host web01
Source RPM Packages
Target RPM Packages setup-2.12.2-5.el8.noarch
Policy RPM selinux-policy-3.14.3-41.el8_2.5.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name web01
Platform Linux web01 4.18.0-193.14.2.el8_2.x86_64 #1 SMP
Sun Jul 26 03:54:29 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-09-09 15:12:53 CST
Last Seen 2020-09-09 15:12:53 CST
Local ID 51f5e519-d3ac-44d5-8e5e-1cdb0467e29e
Raw Audit Messages
type=AVC msg=audit(1599635573.759:375): avc: denied { open } for pid=11881 comm="php-fpm" path="/etc/hosts" dev="dm-0" ino=16785789 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
Hash: php-fpm,httpd_t,admin_home_t,file,open
[root@web01 ~]#
执行提示命令:
[root@web01 ~]# restorecon -v /etc/hosts
[root@web01 ~]#
显示正常:
编写文章时发现无法上传文件:
PHP-FPM服务默认以apache用户的身份进行读写文件,但NFS目录的权限授予的是nginx用户:
[root@web01 ~]# grep apache /etc/php-fpm.d/www.conf
; RPM: apache user chosen to provide access to the same directories as httpd
user = apache
group = apache
listen.acl_users = apache,nginx
[root@web01 ~]# ps -ef | grep apache
apache 11880 11879 0 14:50 ? 00:00:05 php-fpm: pool www
apache 11881 11879 0 14:50 ? 00:00:05 php-fpm: pool www
apache 11882 11879 0 14:50 ? 00:00:05 php-fpm: pool www
apache 11883 11879 0 14:50 ? 00:00:05 php-fpm: pool www
apache 11884 11879 0 14:50 ? 00:00:05 php-fpm: pool www
apache 11917 11879 0 14:54 ? 00:00:04 php-fpm: pool www
apache 13381 11879 0 15:20 ? 00:00:03 php-fpm: pool www
root 14452 6063 0 15:54 pts/3 00:00:00 grep --color=auto apache
[root@web01 ~]#
修改PHP-FPM配置文件:
[root@web01 ~]# sed -i.bak 's/apache$/nginx/g' /etc/php-fpm.d/www.conf
[root@web01 ~]# grep nginx /etc/php-fpm.d/www.conf
user = nginx
group = nginx
listen.acl_users = apache,nginx
[root@web01 ~]# systemctl restart php-fpm.service
[root@web01 ~]# ps -ef | grep php-fpm
root 14529 1 0 16:02 ? 00:00:00 php-fpm: master process (/etc/php-fpm.conf)
nginx 14530 14529 0 16:02 ? 00:00:00 php-fpm: pool www
nginx 14531 14529 0 16:02 ? 00:00:00 php-fpm: pool www
nginx 14532 14529 0 16:02 ? 00:00:00 php-fpm: pool www
nginx 14533 14529 0 16:02 ? 00:00:00 php-fpm: pool www
nginx 14534 14529 0 16:02 ? 00:00:00 php-fpm: pool www
root 14536 6063 0 16:03 pts/3 00:00:00 grep --color=auto php-fpm
[root@web01 ~]#
重新测试: