SELinux 阻止 nginx 对 Unicorn 套接字进行写访问

SELinux 阻止 nginx 对 Unicorn 套接字进行写访问

我正在尝试使用 Nginx 和 Unicorn 设置我的 Rails 应用程序。

Nginx 在访问我的 Rails 应用程序的根 URL 时抛出以下错误:

2 月 14 日 23:39:42 servercentos7 python[5604]: SELinux 阻止 /usr/sbin/nginx 对 sock_file /var/www/amily_photo/shared/tmp/sockets/unicorn.sock 进行写访问。

                                           *****  Plugin catchall (100. confidence) suggests   **************************

                                           If you believe that nginx should be allowed write access on the unicorn.sock sock_file by default.
                                           Then you should report this as a bug.
                                           You can generate a local policy module to allow this access.
                                           Do
                                           allow this access for now by executing:
                                           # grep nginx /var/log/audit/audit.log | audit2allow -M mypol
                                           # semodule -i mypol.pp

我已经执行了错误报告中提到的两个命令,但是没有起作用

grep nginx /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

nginx.conf:

worker_processes 1;

user root root; # for systems with a "nogroup"

# Feel free to change all paths to suite your needs here, of course
pid /tmp/nginx.pid;
error_log /tmp/nginx.error.log;

events {
  worker_connections 1024; # increase if you have lots of clients
  accept_mutex off; # "on" if nginx worker_processes > 1
  # use epoll; # enable for Linux 2.6+
  # use kqueue; # enable for FreeBSD, OSX
}

http {
  # nginx will find this file in the config directory set at nginx build time
  include mime.types;

  # fallback in case we can't determine a type
  default_type application/octet-stream;

  # click tracking!
  access_log /tmp/nginx.access.log combined;

  sendfile on;

  tcp_nopush on; # off may be better for *some* Comet/long-poll stuff
  tcp_nodelay off; # on may be better for some Comet/long-poll stuff

  gzip on;
  gzip_http_version 1.0;
  gzip_proxied any;
  gzip_min_length 500;
  gzip_disable "MSIE [1-6]\.";
  gzip_types text/plain text/html text/xml text/css
             text/comma-separated-values
             text/javascript application/x-javascript
             application/atom+xml;

  include /etc/nginx/sites-enabled/*;

  ##########################################################
  # Catch all requests to server ip so just hitting the ip
  # won't render anything.
  ##########################################################
  server {
    listen   80 default;
    server_name  everythingelse;

    # Everything is a 404
    location / {
      return 404;
    }
  }
}

应用程序的 Nginx 配置:

##############################################################
# Upstream must have unique name and unique socket.          #
# The socket must match what is in the app's unicorn.rb file #
##############################################################
upstream amily_photo_server {
  server unix:/tmp/unicorn_amily_photo.sock fail_timeout=0;
}

##############################
# Server configs go here     #
##############################
server {
  listen 80;

  client_max_body_size 4G;
  server_name XN--80AA1ABXAPNQ1A.XN--P1AI;
  keepalive_timeout 5;

  #########################################################
  # This should go to the public folder of your rails app #
  #########################################################
  root /var/www/amily_photo/current/public;

  try_files $uri/index.html $uri.html $uri @app;
  location @amily_photo_server {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;


    #############################################
    # This should be http://upstream; with the  #
    # upstream specified above.                 #
    #############################################
    proxy_pass http://amily_photo_server;
  }
  error_page 500 502 503 504 /500.html;
  location = /500.html {
    #########################################################
    # This should go to the public folder of your rails app #
    #########################################################
    root /var/www/amily_photo/current/public;
  }
}

这些帖子没有帮助:

我不知道该怎么做…

请帮忙。

答案1

要检查 SELinux 中是否存在这种情况,您可以禁用它

sudo setenforce 0

但关闭它并不安全,当你重新启动时问题会再次出现

很好的详细文章https://nts.strzibny.name/allowing-nginx-to-use-a-pumaunicorn-unix-socket-with-selinux/

简而言之,您需要执行命令并将输出保存到 nginx.te 文件中

sudo grep nginx /var/log/audit/audit.log | audit2allow -m nginx                                                                                                                        
                                                           
module nginx 1.0;                                          
                                                                
require {                                                                                                                                                                                                            
        type httpd_t;                                           
        type initrc_t;                                                                                                                                                                                               
        class unix_stream_socket connectto;              
}                                                         
                                                       
#============= httpd_t ==============                        
allow httpd_t initrc_t:unix_stream_socket connectto;  

然后检查、编译并减去

sudo checkmodule -M -m -o nginx.mod nginx.te
sudo semodule_package -o nginx.pp -m nginx.mod
sudo semodule -i nginx.pp

相关内容