我通过 Gunicorn 和 nginx 在 RHEL8 上运行了 Django 应用程序。在禁用 SELinux 的情况下进行测试时,一切正常。当我启用 SELinux 时,从网站保存图片时出现问题,我收到服务器错误 (500)。
查看 SEL 日志:
审计原因:
type=AVC msg=audit(1692276970.763:137): avc: denied { add_name } for pid=1022 comm="gunicorn" name="29fda977-925d-490a-bf01-1d57bca5b02d.jpeg" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
保存照片的目录的示例上下文:
drwxr-xr-x. 2 user nginx system_u:object_r:httpd_sys_rw_content_t:s0 104 Dec 1 2021 photo
/var/log/messages 中的更多日志
Aug 17 14:56:17 webserver setroubleshoot[2249]: SELinux is preventing gunicorn from add_name access on the directory 29fda977-925d-490a-bf01-1d57bca5b02d.jpeg. For complete SELinux messages run: sealert -l 09af96cb-e073-4d2f-bcb5-8756e98df308
Aug 17 14:56:17 webserver setroubleshoot[2249]: SELinux is preventing gunicorn from add_name access on the directory 29fda977-925d-490a-bf01-1d57bca5b02d.jpeg.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that gunicorn should be allowed add_name access on the 29fda977-925d-490a-bf01-1d57bca5b02d.jpeg directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn#012# semodule -X 300 -i my-gunicorn.pp#012
我尝试了上述步骤,但仍然没有成功。这里出了什么问题?如何调试?