SeLinux 停止启动 nginx

tag-icon tag-icon nginx centos ssl centos7 selinux
SeLinux 停止启动 nginx

重新启动 nginx 代理服务器(仅限 centos7 + nginx,另一个上使用 apache)我收到错误:

  DOMAIN systemd[1]: Starting Session 439 of user root.
-- Subject: Unit session-439.scope has begun start-up
-- Defined-By: systemd
--
-- Unit session-439.scope has begun starting up.
Jun 08 06:30:02 DOMAIN CROND[16408]: (root) CMD (/usr/local/sbin/script.sh)
Jun 08 06:30:02 DOMAIN CROND[16409]: (root) CMD (/usr/local/bin/script.pl >/dev/null)
Jun 08 06:31:31 DOMAIN sshd[16419]: Connection closed by 10.1.1.3 [preauth]
Jun 08 06:33:40 DOMAIN run-parts(/etc/cron.daily)[16439]: finished 0yum-daily.cron
Jun 08 06:33:40 DOMAIN run-parts(/etc/cron.daily)[16441]: starting logrotate
Jun 08 06:33:45 DOMAIN run-parts(/etc/cron.daily)[16505]: finished logrotate
Jun 08 06:33:45 DOMAIN run-parts(/etc/cron.daily)[16507]: starting man-db.cron
Jun 08 06:33:47 DOMAIN run-parts(/etc/cron.daily)[16516]: finished man-db.cron
Jun 08 06:33:47 DOMAIN run-parts(/etc/cron.daily)[16518]: starting update-ocsp
Jun 08 06:33:56 DOMAIN systemd[1]: Stopping nginx - high performance web server...
-- Subject: Unit nginx.service has begun shutting down
-- Defined-By: systemd
-- Unit nginx.service has begun shutting down.
Jun 08 06:33:56 DOMAIN systemd[1]: Starting nginx - high performance web server...
-- Subject: Unit nginx.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nginx.service has begun starting up.
Jun 08 06:33:56 DOMAIN nginx[16568]: nginx: [emerg] BIO_new_file("/etc/nginx/ssl/client-ocsp.pem") failed (SSL: error:0200100D:system library:fopen:Permission den
Jun 08 06:33:56 DOMAIN nginx[16568]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jun 08 06:33:56 DOMAIN systemd[1]: nginx.service: control process exited, code=exited status=1
Jun 08 06:33:56 DOMAIN systemd[1]: Failed to start nginx - high performance web server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Unit nginx.service has failed.
-- The result is failed.

之后restorecon -R -v /etc/nginx/ssl/restorecon -R -v /etc/nginx/ssl/*.pem

Nginx 启动了,今天更新了几年前可以正常工作的 ocsp,重新启动 nginx 后我收到相同的权限被拒绝错误。

如何解决?这是生产服务器,有点不敢尝试,谢谢

答案1

这是允许之前被拒绝的操作的通用解决方案。

(可选)首先,我们禁用强制执行,以便我们可以一次性完成所有操作,而不是每次失败时都重新运行并一次添加一个更改:

setenforce 0

然后我们启动 nginx,使用一下,然后重启它(这样我们就可以记录任何与关闭相关的内容)

然后我们回顾一下我们将允许什么:

grep nginx /var/log/audit/audit.log

如果您对允许上述所有内容感到满意:

grep nginx /var/log/audit/audit.log | audit2allow -M my-nginx-module

但如果您不满意,请调整 grep 以匹配更具体的内容,例如:

grep -E "name_connect.*nginx|nginx.*someporttype..." /var/log/audit/audit.log

现在我们再次启用强制执行,并重新测试。

setenforce 1

答案2

SELinux 并不期望将证书放在/etc/nginx目录中,因此如果将它们放在那里,它们可能会产生错误的上下文。

将您的证书存储在 下的默认目录结构中/etc/pki/tls。如果您使用 Let's Encrypt,并且安装了该certbot软件包,那么您也可以使用/etc/letsencrypt

mv如果您使用 而不是 ,文件也可能具有错误的上下文cp。在启用 SELinux 的系统上,请务必记住复制文件,然后删除原始文件(如果需要删除),或者使用mv -Z

答案3

我个人会直接关闭 SELinux。它会带来很多麻烦,设置起来也很复杂。我很佩服 SELinux 的开发人员,但目前这个东西太糟糕了。:D

相关内容