NGINX中遇到SELinux 13:permission denied
被selinux坑了。抓包发现端口始终没有流量, 操作过程中还特地dmesg看了c并没发现selinux的异常。
https://www.nginx.com/blog/using-nginx-plus-with-selinux/
https://blog.csdn.net/aqzwss/article/details/51134591
When you upgrade a running system to Red Hat Enterprise Linux (RHEL) 6.6 or CentOS 6.6, the Security Enhanced Linux (SELinux) security permissions that apply to NGINX are relabelled to a much stricter posture. Although the permissions are adequate for the default configuration of NGINX, configuration for additional features can be blocked and you need to permit them explicitly in SELinux. This article describes the possible issues and recommended ways to resolve them.
[Editor: Oracle Linux was not supported at the time this article was originally published. Because it is based on RHEL, this article applies to it as well.]
Overview of SELinux
SELinux is enabled by default on RHEL and CentOS servers. Each operating system object (process, file descriptor, file, etc.) is associated with an SELinux context that defines the permissions and operations the object can perform. During an upgrade to RHEL 6.6 or CentOS 6.6, NGINX’s association is changed to the httpd_t context:
ps auZ | grep nginx
unconfined_u:system_r:httpd_t:s0 3234 ? Ss 0:00 nginx: master process \
/usr/sbin/nginx \
-c /etc/nginx/nginx.conf
unconfined_u:system_r:httpd_t:s0 3236 ? Ss 0:00 nginx: worker process
The httpd_t context permits NGINX to listen on common web server ports, to access configuration files in /etc/nginx, and to access content in the standard docroot location (/usr/share/nginx). It does not permit many other operations, such as proxying to upstream locations or communicating with other processes through sockets.
SELinux Modes
SELinux can be run in enforcing, permissive, or disabled mode. When you make a configuration change that might breach the current permissions, you can move SELinux from enforcing to permissive mode, on your test environment (if available) or on production. In permissive mode, SELinux permits all operations, but logs operations that would have breached the security policy in enforcing mode.
To add httpd_t to the list of permissive domains, run this command:
# semanage permissive -a httpd_t
To delete httpd_t from the list of permissive domains, run:
# semanage permissive -d httpd_t
To set the mode globally to permissive, run:
# setenforce 0
To set the mode globally to enforcing, run:
# setenforce 1
Checking for SELinux Exceptions
In permissive mode, security exceptions are logged to /var/log/audit/audit.log. If you encounter a problem that occurs only when NGINX is in enforcing mode, review the exceptions that are logged inpermissive mode and update the security policy to permit them.
Example 1: Proxy Connection is Forbidden
By default, the SELinux configuration does not allow NGINX to connect to a remote web, fastCGI, or other server, as indicated by an audit log message like the following:
type=AVC msg=audit(1415714880.156:29): avc: denied { name_connect } for pid=1349 \
comm="nginx" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 \
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1415714880.156:29): arch=c000003e syscall=42 success=no \
exit=-115 a0=b \a1=16125f8 a2=10 a3=7fffc2bab440 items=0 ppid=1347 pid=1349 \
auid=1000 uid=497 gid=496 euid=497 suid=497 fsuid=497 egid=496 sgid=496 fsgid=496 \
tty=(none) ses=1 comm="nginx" exe="/usr/sbin/nginx" \
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
To interpret the message code (1415714880.156:29), run the audit2why command:
# grep 1415714880.156:29 /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1415714880.156:29): avc: denied { name_connect } for pid=1349 \
comm="nginx" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 \
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow httpd to act as a relay
Allow access by executing:
# setsebool -P httpd_can_network_relay 1
Description:
Allow HTTPD scripts and modules to connect to the network using TCP.
Allow access by executing:
# setsebool -P httpd_can_network_connect 1
The output from audit2why recommends setting one or more Boolean options. To permit the proxy connect operation, you can enable these Boolean options, either temporarily or permanently (add the -Poption).
Understanding Boolean Options
If you install the setools package (yum install setools), you can run the sesearch command to get more information about the Boolean options. Here we present examples for the httpd_can_network_relay andhttpd_can_network_connect options.
The httpd_can_network_relay Boolean Option
# sesearch -A -s httpd_t -b httpd_can_network_relay
Found 10 semantic av rules:
allow httpd_t gopher_port_t : tcp_socket name_connect ;
allow httpd_t http_cache_client_packet_t : packet { send recv } ;
allow httpd_t ftp_port_t : tcp_socket name_connect ;
allow httpd_t ftp_client_packet_t : packet { send recv } ;
allow httpd_t http_client_packet_t : packet { send recv } ;
allow httpd_t squid_port_t : tcp_socket name_connect ;
allow httpd_t http_cache_port_t : tcp_socket name_connect ;
allow httpd_t http_port_t : tcp_socket name_connect ;
allow httpd_t gopher_client_packet_t : packet { send recv } ;
allow httpd_t memcache_port_t : tcp_socket name_connect ;
This output indicates that httpd_can_network_relay permits connection to ports of various types, including type http_port_t:
# semanage port -l | grep http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
To add more ports to the set (in this case, 8082), run:
# semanage port -a -t http_port_t -p tcp 8082
If a message indicates that a port is already defined, as in the following example, it means the port is included in another set. Do not reassign it, because other services might be negatively affected.
# semanage port -a -t http_port_t -p tcp 8080
/usr/sbin/semanage: Port tcp/8080 already defined
# semanage port -l | grep 8080
http_cache_port_t tcp 3128, 8080, 8118, 8123, 10001-10010
The httpd_can_network_connect Boolean Option
# sesearch -A -s httpd_t -b httpd_can_network_connect
Found 1 semantic av rules:
allow httpd_t port_type : tcp_socket name_connect ;
The httpd_can_network_connect option allows httpd_t to connect to all TCP socket types that have theport_type attribute. To list them, run:
# seinfo -aport_type -x
Example 2: File Access is Forbidden
By default, the SELinux configuration does not allow NGINX to access files outside of well-known authorized locations, as indicated by an audit log message like the following:
type=AVC msg=audit(1415715270.766:31): avc: denied { getattr } for pid=1380 \
comm="nginx" path="/www/t.txt" dev=vda1 ino=1084 \
scontext=unconfined_u:system_r:httpd_t:s0 \
tcontext=unconfined_u:object_r:default_t:s0 tclass=file
To interpret the message code (1415715270.766:31), run the audit2why command:
# grep 1415715270.766:31 /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1415715270.766:31): avc: denied { getattr } for pid=1380 \
comm="nginx" path="/www/t.txt" dev=vda1 ino=1084 \
scontext=unconfined_u:system_r:httpd_t:s0 \
tcontext=unconfined_u:object_r:default_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
When file access is forbidden, you have two options.
Option 1: Modify the File Label
Modify the file label so that the httpd_t domain can access the file:
# chcon -v --type=httpd_sys_content_t /www/t.txt
By default, this modification is deleted when the file system is relabelled. To make the change permanent, run:
# semanage fcontext -a -t httpd_sys_content_t /www/t.txt
# restorecon -v /www/t.txt
To modify file labels for groups of files, run:
# semanage fcontext -a -t httpd_sys_content_t /www(/.*)?
# restorecon -Rv /www
Option 2: Extend the httpd_t Domain Permissions
Extend the httpd_t policy to allow access to additional file locations:
# grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx.te
# cat nginx.te
module nginx 1.0;
require {
type httpd_t;
type default_t;
type http_cache_port_t;
class tcp_socket name_connect;
class file { read getattr open };
}
#============= httpd_t ==============
allow httpd_t default_t:file { read getattr open };
#!!!! This avc can be allowed using one of the these booleans:
# httpd_can_network_relay, httpd_can_network_connect
allow httpd_t http_cache_port_t:tcp_socket name_connect;
To create a compiled policy, include the -M option:
# grep nginx /var/log/audit/audit.log | audit2allow -M nginx
To load the policy, run semodule -i, then verify success with semodule -l:
# semodule -i nginx.pp
# semodule -l | grep nginx
nginx 1.0
This change persists across reboots.
Additional Resources
SELinux is a complex and powerful facility for managing operating system permissions. Additional information is available at the following locations.
SELinux Documentation (United States National Security Agency)
Security-Enhanced Linux User Guide (Fedora project)
Security-Enhanced Linux User Guide (Red Hat)
SELinux project home page
SELinux How-to (CentOS)
NGINX中遇到SELinux 13:permission denied的更多相关文章
- nginx权限问题failed(13:Permission denied)
nginx权限问题failed(13:Permission denied) 环境配置 nginx Permission denied 问题: 使用nginx代理uwsgi,出现500错误,查看ngi ...
- 解决Nginx出现403 forbidden (13: Permission denied)报错的四种方法
我是在在本地用虚拟机中通过yum安装nginx的,安装一切正常,但是访问时报403, 于是查看nginx日志,路径为/var/log/nginx/error.log.打开日志发现报错Permissio ...
- nginx的权限问题(13: Permission denied)解决办法
一个nginx带多个tomcat集群环境,老是报如下错误: 2012/03/07 15:30:39 /opt/nginx/proxy_temp/4/31/0000000314" fail ...
- nginx 502错 failed (13: Permission denied)
安装nginx和php-fpm之后出现502错误 找了个理由说php-fpm不启动 ,但在我的实践中,该过程开始 找了半天没找到病因.视图nginx记录后 我发现下面的错误 [crit] 2686#0 ...
- Centos75 解决Nginx出现403 forbidden(13: Permission denied)
Centos75 新安装的vm,nginx出现403 forbidden 一般为SELinux设置为开启状态(enabled)的原因 切为root ,执行: sed -i 's/SELINUX=enf ...
- Nginx出现403 forbidden (13: Permission denied)报错的四种原因
一.由于php-fpm启动用户和nginx工作用户不一致所致 php-fpm启动用户配置位置 nginx工作用户配置位置 二.不存在在文件,可能是文件路径有误,可以查看nginx错误日志来判断 三.缺 ...
- nginx报错:failed (13: Permission denied)
vim nginx.conf 修改user nginx为当前系统用户,如:user root
- Nginx报错403 forbidden (13: Permission denied)的解决办法
由于开发需要,在本地环境中配置了LNMP环境,使用的是Centos 6.5 的yum安装,安装一切正常,但是由于默认网站文件夹比较奇葩,于是把网站文件用mv命令移动到了新的目录,并相应修改了配置文件, ...
- 解决Nginx的connect() to 127.0.0.1:8080 failed (13: Permission denied) while connect
在进行Nginx+Tomcat 负载均衡的时候遇到了这个权限问题,在error.log日志中.我们能够看到例如以下: connect() to 127.0.0.1:8080 failed (13: P ...
随机推荐
- 关于浮点数的json解析
近期在工作中遇到个问题 通过post请求从其他系统(好像是C#写的)获得json字符串 {"geometry":{"rings":[[[40426489.331 ...
- [分享]windows下编译squid的经验(转)
squid是什么我这里就不说了,这不是本文的重点,总之它是一个集:代理.加速.缓存.负载均衡.防盗链.访问控制等多功能的一个超牛X开源软件,如今已经广泛应用于很多领域.对于缓存和加速这一领域,如今各大 ...
- MFC错误集锦
MFC中相关报错及其解决的方法: (1)0x00000005: 解决的方法:看是哪里的 数组越界: (2)0xCCCCCCCC:在类中声明指针,但没有赋初值之类的错误. 解决的方法:在类的构造函数中给 ...
- CentOS6.9 下编译安装MySQL5.7.19
官网:https://www.mysql.com/ 下载地址:https://cdn.mysql.com//Downloads/MySQL-5.7/mysql-5.7.19.tar.gz 一.准备工作 ...
- PYTHON测试邮件系统弱密码
#-*- coding:utf-8 -*- #测试公司邮件系统弱密码, from email.mime.text import MIMEText import smtplib #弱密码字典 passL ...
- Lumen开发:lumen源码解读之初始化(1)——app实例
版权声明:本文为博主原创文章,未经博主允许不得转载. 有些注释来着原文的百度翻译,可以有些难理解或者奇怪,我后面会根据自己的理解做调整的哈!!!不喜勿喷,层主英语不过关... 先来看看入口文件publ ...
- OGEngine教程:字体工具使用
1.打开 BitmapFont tool,在红框中输入你要显示的字. 2.写完后保存字体文件 watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvT3Jhbmdl ...
- WebView中打开相机,文件选择器的问题和解决方法
近几年前端开发真是越来越火,H5页面开发的移动端页面甚至有夺我原生开发半壁江山的意思,忧伤忧伤.不过从实际情况考虑,H5一套代码到处跑的特性,我们的Android, IOS ...也就只能呵呵了.然而 ...
- proxool连接池 异常
这是第二次整理这个文章: 首先说明proxool连接池有两种配置方式: 第一种:采用jdbc.properties的方式 第二种:采用proxool.xml的配置方 后面在完善这两种配置方式(在上班哦 ...
- java List的相关工具类
1. <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</ar ...