SELinux 正在阻止 /usr/sbin/nginx 对文件 /etc/ld.so.cache 执行访问

tag-icon tag-icon linux security nginx selinux
SELinux 正在阻止 /usr/sbin/nginx 对文件 /etc/ld.so.cache 执行访问

我遇到了一个奇怪的 SElinux 问题,如果我用sudo systemctl restart nginxSElinux 重新启动 Nginx,enforcing服务器就会堵塞,导致网站崩溃,并且服务器 CPU 负载达到 70-90%。如果我在 SElinuxpermissive模式下重新启动 Nginx,一切都会按预期工作。

运行命令sudo journalctl -p err -b | grep -i selinux我收到 2 个 SElinux 警报SELinux is preventing /usr/sbin/nginx from execute access on the file /etc/ld.so.cacheSELinux is preventing /usr/sbin/nginx from map access on the chr_file /dev/zero详细信息如下)。

/etc/ld.so.cache信息:

ls -laZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache

如果我运行一个新的缓存文件,那么就会在运行sudo ldconfig中创建。/etc/ld.so.cacheldconfig

ldconfig --version
ldconfig (GNU libc) 2.17

根据ldconfig_selinux手册页LD配置

The ldconfig processes execute with the ldconfig_t SELinux type. You can check if you have these processes running by executing the ps command with the -Z qualifier.

For example:

ps -eZ | grep ldconfig_t

但是当我运行上面的命令时,grep 没有返回任何内容。这可能并不重要,但我想我应该提一下。

我还尝试将文件权限更改为:sudo chmod 0755 /etc/ld.so.cachesudo chmod 0750 /etc/ld.so.cache不起作用。

编辑:这是我的 Nginx systemd 脚本的副本。

sudo vi /usr/lib/systemd/system/nginx.service

[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target

SELinux 警报:

SELinux is preventing /usr/sbin/nginx from execute access on the file /etc/ld.so.cache.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nginx should be allowed execute access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:ld_so_cache_t:s0
Target Objects                /etc/ld.so.cache [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           nginx-1.15.7-1.x86_64
Target RPM Packages           glibc-2.17-260.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   35
First Seen                    2019-03-02 16:08:25 GMT
Last Seen                     2019-03-07 12:08:18 GMT
Local ID                      2bd8aa83-8ba0-49fa-83f8-7f5924ad194c

Raw Audit Messages
type=AVC msg=audit(1551960498.942:1179942): avc:  denied  { execute } for  pid=28695 comm="nginx" path="/etc/ld.so.cache" dev="sda2" ino=9177558 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1551960498.942:1179942): arch=x86_64 syscall=mmap per=400000 success=no exit=EACCES a0=0 a1=a942 a2=1 a3=2 items=0 ppid=1 pid=28695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,ld_so_cache_t,file,execute

-----------------------

SELinux is preventing /usr/sbin/nginx from map access on the chr_file /dev/zero.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nginx should be allowed map access on the zero chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:zero_device_t:s0
Target Objects                /dev/zero [ chr_file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           nginx-1.15.7-1.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   83
First Seen                    2019-03-02 16:08:25 GMT
Last Seen                     2019-03-07 12:08:19 GMT
Local ID                      4155f3e6-d77d-479b-9642-b90b4512e49a

Raw Audit Messages
type=AVC msg=audit(1551960499.20:1179949): avc:  denied  { map } for  pid=28695 comm="nginx" path="/dev/zero" dev="devtmpfs" ino=2053 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1551960499.20:1179949): arch=x86_64 syscall=mmap per=400000 success=no exit=EACCES a0=0 a1=48000 a2=3 a3=1 items=0 ppid=1 pid=28695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,zero_device_t,chr_file,map

相关内容