nginx与SElinux

最新推荐文章于 2024-08-19 17:53:24 发布

SHUIPING_YANG

最新推荐文章于 2024-08-19 17:53:24 发布

阅读量4.3k

点赞数

分类专栏： Linux 文章标签： nginx linux

本文链接：https://blog.csdn.net/zhezhebie/article/details/75338371

版权

Linux 专栏收录该内容

109 篇文章 7 订阅

订阅专栏

前言：

[root@minimal ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@minimal ~]# nginx -v
nginx version: nginx/1.12.1

在设置nginx虚拟机的时候，路径，php解析、文件权限都已经配置好了，但还是出现访问受限，查看nginx错误日志（www-data是nginx所在的用户和用户组）；
查看文件及文件夹权限：

[root@minimal ~]# ll /www/
drwxr-xr-x. 11 www-data www-data 275 7月  18 18:30 lyadmin
[root@minimal ~]# ll -a / |grep ww
drwxr-xr-x.   3 www-data www-data   21 7月  18 18:11 www

查看服务器开放的端口：

[root@minimal ~]# firewall-cmd --list-ports
3306/tcp 9000/tcp 80/tcp 25/tcp

查看nginx错误日志：

[root@minimal ~]# tailf /var/log/nginx/error.log

2017/07/19 10:01:05 [error] 1515#1515: *1 "/www/lyadmin/index.php" is forbidden (13: Permission denied), client: 192.168.1.102, server: lyadmin.com, request: "GET / HTTP/1.1", host: "lyadmin.com"

然后我就怀疑到了防火墙，linux系统中防火墙有两个，一个是firewalld，另一个是SElinux。这两个分别起什么作用呢？

查看SELinux状态：
1、sestatus -v ##如果SELinux status参数为enabled即为开启状态
SELinux status: enabled
2、getenforce ##也可以用这个命令检查

关闭SELinux：
1、临时关闭（不用重启机器）：
##设置SELinux 成为permissive模式，一共有三种模式：

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

第一种：enforcing 强制执行selinux的策略；
第二种：permissive 放宽执行selinux的策略，提示警告，相当于临时关闭SElinux防火墙，服务器重启之后防火墙依然生效;
第三种：disabled 彻底关闭selinux。
我们这里试一下第二种策略，临时关闭，看看是不是这个原因导致的。
命令如下：

setenforce 0

setenforce 1 设置SELinux 成为enforcing模式

2、修改配置文件，需要重启机器：
修改/etc/selinux/config 文件，将SELINUX=enforcing改为SELINUX=disabled
这个操作需要重启机器！这就彻底关闭了selinux

查看selinux与http相关的各项布尔值：

[root@minimal ~]# getsebool -a |grep http
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> on
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
named_tcp_bind_http_port --> off
prosody_bind_http_port --> off

该开的都开启了，但是还是不能解决nginx的那个跨目录访问的问题，如果谁有更好的办法，记得给我留言哦！

关于SELinux官方解释：


selinux(8)                                         SELinux Command Line documentation                                         selinux(8)

NAME
       SELinux - NSA Security-Enhanced Linux (SELinux)

DESCRIPTION
       NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux oper‐
       ating system.  The SELinux architecture provides general support for the enforcement of many kinds of  mandatory  access  control
       policies,  including  those  based  on  the  concepts of Type Enforcement®, Role- Based Access Control, and Multi-Level Security.
       Background information and technical documentation about SELinux can be found at http://www.nsa.gov/research/selinux.

       The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and if enabled, whether SELinux oper‐
       ates  in  permissive mode or enforcing mode.  The SELINUX variable may be set to any one of disabled, permissive, or enforcing to
       select one of these options.  The disabled option completely disables the SELinux kernel and application code, leaving the system
       running without any SELinux protection.  The permissive option enables the SELinux code, but causes it to operate in a mode where
       accesses that would be denied by policy are permitted but audited.  The enforcing option enables the SELinux code and  causes  it
       to  enforce  access  denials as well as auditing them.  Permissive mode may yield a different set of denials than enforcing mode,
       both because enforcing mode will prevent an operation from proceeding past the first denial and  because  some  application  code
       will fall back to a less privileged mode of operation if denied access.

       The  /etc/selinux/config configuration file also controls what policy is active on the system.  SELinux allows for multiple poli‐
       cies to be installed on the system, but only one policy may be active at any given time.  At present, multiple kinds  of  SELinux
       policy  exist:  targeted, mls for example.  The targeted policy is designed as a policy where most user processes operate without
       restrictions, and only specific services are placed into distinct security domains that are confined by the policy.  For example,
       the  user would run in a completely unconfined domain while the named daemon or apache daemon would run in a specific domain tai‐
       lored to its operation.  The MLS (Multi-Level Security) policy is designed as a policy where all processes are  partitioned  into
       fine-grained  security  domains  and  confined by policy.  MLS also supports the Bell And LaPadula model, where processes are not
       only confined by the type but also the level of the data.

       You can define which policy you will run by setting the SELINUXTYPE environment variable within  /etc/selinux/config.   You  must
       reboot and possibly relabel if you change the policy type to have it take effect on the system.  The corresponding policy config‐
       uration for each such policy must be installed in the /etc/selinux/{SELINUXTYPE}/ directories.

       A given SELinux policy can be customized further based on a set of compile-time tunable options and a set of runtime policy bool‐
       eans.  system-config-selinux allows customization of these booleans and tunables.

       Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy.

FILE LABELING
       All files, directories, devices ... have a security context/label associated with them.  These context are stored in the extended
       attributes of the file system.  Problems with SELinux often arise from the file system being mislabeled. This can  be  caused  by
       booting  the  machine with a non SELinux kernel.  If you see an error message containing file_t, that is usually a good indicator
       that you have a serious problem with file system labeling.

       The best way to relabel the file system is to create the flag file /.autorelabel and  reboot.   system-config-selinux,  also  has
       this capability.  The restorecon/fixfiles commands are also available for relabeling files.

AUTHOR
       This manual page was written by Dan Walsh <dwalsh@redhat.com>.

FILES
       /etc/selinux/config

SEE ALSO
       booleans(8), setsebool(8), sepolicy(8), system-config-selinux(8), togglesebool(8), fixfiles(8), restorecon(8), setfiles(8),
       semanage(8), sepolicy(8), seinfo(8), sesearch(8)

       Every confined service on the system has a man page in the following format:

       <servicename>_selinux(8)