背景

最近倒騰伺服器的時候，選擇了CentOS7操作系統，在安裝配置Nginx的時候遇到了Permission Denied問題。按照chown和chmod進行配置無果，後來定位到SELinux問題。

SELinux是什麼？

When you upgrade a running system to Red Hat Enterprise Linux (RHEL) 6.6 or CentOS 6.6, the Security Enhanced Linux (SELinux) security permissions that apply to NGINX are relabelled to a much stricter posture. Although the permissions are adequate for the default configuration of NGINX, configuration for additional features can be blocked and you need to permit them explicitly in SELinux. This article describes the possible issues and recommended ways to resolve them.

Nginx安裝

按照如下配置，是可以正常啟動nginx，並且訪問到nginx的歡迎頁面。

# 添加nginx源
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# 安裝
sudo yum install -y nginx
# 啟動
systemctl start nginx.service

自定義配置

配置文件地址：

/etc/nginx/nginx.conf

自定義配置文件通常放到conf.d目錄下：

$nginx_conf/conf.d/default.conf

添加自定義項目配置

server {
listen 8081;
server_name localhost;
access_log /var/log/nginx/access.log main;
location / {
root /home/custom/web; # 自定義路徑
index index.html index.htm;
}
}

此時再啟動nginx程序，發現無法正常啟動。

systemctl start nginx

於是，使用nginx命令啟動，啟動正常，但是訪問頁面出現403許可權問題。

nginx # nginx命令啟動

403許可權問題日誌，可以查看到日誌信息。

2018/09/18 23:41:37 [error] 1266#1266: *1 "/home/custom/web/index.html" is forbidden (13: Permission denied), client: xxx.xxx.xxx.xxx, server: localhost, request: "GET / HTTP/1.1", xxx.xxx.xxx.xxx:8081"

通過網上查找資料，大家解決方法是使用root用戶啟動。需要修改nginx.conf文件。

# /etc/nginx/nginx.conf
#user nginx;
user root;
worker_processes 1;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
......
}

SELinux下如何配置

這樣用root用戶啟動程序，在生產環境下是強烈不建議的，存在很大的安全問題。所以需要繼續研究SELinux開啟下，如何進行配置。

在默認倉庫下，nginx能夠正常啟動。查看文件路徑信息，

ll -Zd /usr/share/nginx/html/
# drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /usr/share/nginx/html/

其中，system_u:object_r:httpd_sys_content_t:s0 是當前路徑的安全上下文配置。 通過chcon命令，設置新的目錄地址配置

chcon -Ru system_u /home/custom/web
chcon -Rt httpd_sys_content_t /home/custom/web

此時，將user設置回nginx，並且關閉SELinux下，是能夠正常訪問的。

setenforce 0
systemctl start nginx

但是，當開啟SELinux的時候，啟動，出現如下錯誤日誌：

[root@localhost mgzy]# systemctl start nginx
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[root@localhost mgzy]# systemctl status nginx.service
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 三 2018-09-19 03:07:23 CST; 7s ago
Docs: http://nginx.org/en/docs/
Process: 12298 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
9月 19 03:07:23 localhost.localdomain systemd[1]: Starting nginx - high performance web server...
9月 19 03:07:23 localhost.localdomain nginx[12298]: nginx: [emerg] open() "/etc/nginx/none" failed (13: Permission denied)
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
9月 19 03:07:23 localhost.localdomain systemd[1]: Failed to start nginx - high performance web server.
9月 19 03:07:23 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service failed.

日誌中，看到/etc/nginx/none文件，有點懵逼，但是Permission denied說明還是許可權問題。此時通過nginx啟動後，能夠生成一個none文件。此時，需要執行如下命令：

# make the process type httpd_t permissive
semanage permissive -a httpd_t

至此，在SELinux下，配置nginx能夠正常工作。

其他說明

通過如下命令能夠查看到nginx依賴的安全信息。

# grep nginx /var/log/audit/audit.log | audit2allow -m nginx
module nginx 1.0;
require {
type httpd_t;
type unreserved_port_t;
type httpd_config_t;
class tcp_socket name_bind;
class file { append create };
class dir { add_name write };
}
#============= httpd_t ==============
allow httpd_t httpd_config_t:dir { add_name write };
allow httpd_t httpd_config_t:file { append create };

喜歡這篇文章嗎？立刻分享出去讓更多人知道吧！