我遇到了一个奇怪的 SElinux 问题,如果我用sudo systemctl restart nginxSElinux 重新启动 Nginx,enforcing服务器就会堵塞,导致网站崩溃,并且服务器 CPU 负载达到 70-90%。如果我在 SElinuxpermissive模式下重新启动 Nginx,一切都会按预期工作。
运行命令sudo journalctl -p err -b | grep -i selinux我收到 2 个 SElinux 警报SELinux is preventing /usr/sbin/nginx from execute access on the file /etc/ld.so.cache(SELinux is preventing /usr/sbin/nginx from map access on the chr_file /dev/zero详细信息如下)。
/etc/ld.so.cache信息:
ls -laZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache
如果我运行一个新的缓存文件,那么就会在运行sudo ldconfig中创建。/etc/ld.so.cacheldconfig
ldconfig --version
ldconfig (GNU libc) 2.17
根据ldconfig_selinux手册页LD配置
The ldconfig processes execute with the ldconfig_t SELinux type. You can check if you have these processes running by executing the ps command with the -Z qualifier.
For example:
ps -eZ | grep ldconfig_t
但是当我运行上面的命令时,grep 没有返回任何内容。这可能并不重要,但我想我应该提一下。
我还尝试将文件权限更改为:sudo chmod 0755 /etc/ld.so.cache也sudo chmod 0750 /etc/ld.so.cache不起作用。
编辑:这是我的 Nginx systemd 脚本的副本。
sudo vi /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
SELinux 警报:
SELinux is preventing /usr/sbin/nginx from execute access on the file /etc/ld.so.cache.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that nginx should be allowed execute access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:ld_so_cache_t:s0
Target Objects /etc/ld.so.cache [ file ]
Source nginx
Source Path /usr/sbin/nginx
Port <Unknown>
Host di-staging
Source RPM Packages nginx-1.15.7-1.x86_64
Target RPM Packages glibc-2.17-260.el7.x86_64
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 35
First Seen 2019-03-02 16:08:25 GMT
Last Seen 2019-03-07 12:08:18 GMT
Local ID 2bd8aa83-8ba0-49fa-83f8-7f5924ad194c
Raw Audit Messages
type=AVC msg=audit(1551960498.942:1179942): avc: denied { execute } for pid=28695 comm="nginx" path="/etc/ld.so.cache" dev="sda2" ino=9177558 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1551960498.942:1179942): arch=x86_64 syscall=mmap per=400000 success=no exit=EACCES a0=0 a1=a942 a2=1 a3=2 items=0 ppid=1 pid=28695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: nginx,httpd_t,ld_so_cache_t,file,execute
-----------------------
SELinux is preventing /usr/sbin/nginx from map access on the chr_file /dev/zero.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that nginx should be allowed map access on the zero chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:zero_device_t:s0
Target Objects /dev/zero [ chr_file ]
Source nginx
Source Path /usr/sbin/nginx
Port <Unknown>
Host di-staging
Source RPM Packages nginx-1.15.7-1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 83
First Seen 2019-03-02 16:08:25 GMT
Last Seen 2019-03-07 12:08:19 GMT
Local ID 4155f3e6-d77d-479b-9642-b90b4512e49a
Raw Audit Messages
type=AVC msg=audit(1551960499.20:1179949): avc: denied { map } for pid=28695 comm="nginx" path="/dev/zero" dev="devtmpfs" ino=2053 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1551960499.20:1179949): arch=x86_64 syscall=mmap per=400000 success=no exit=EACCES a0=0 a1=48000 a2=3 a3=1 items=0 ppid=1 pid=28695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: nginx,httpd_t,zero_device_t,chr_file,map