nginx与SElinux

前言：

[root@minimal ~]# cat /etc/redhat-releaseCentOS Linux release 7.3.1611 (Core)[root@minimal ~]# nginx -vnginx version: nginx/1.12.1

在设置nginx虚拟机的时候，路径，php解析、文件权限都已经配置好了，但还是出现访问受限，查看nginx错误日志（www-data是nginx所在的用户和用户组）；
查看文件及文件夹权限：

[root@minimal ~]# ll /www/drwxr-xr-x. 11 www-data www-data 275 7月  18 18:30 lyadmin[root@minimal ~]# ll -a / |grep wwdrwxr-xr-x.   3 www-data www-data   21 7月  18 18:11 www

查看服务器开放的端口：

[root@minimal ~]# firewall-cmd --list-ports3306/tcp 9000/tcp 80/tcp 25/tcp

查看nginx错误日志：

[root@minimal ~]# tailf /var/log/nginx/error.log

2017/07/19 10:01:05 [error] 1515#1515: *1 "/www/lyadmin/index.php" is forbidden (13: Permission denied), client: 192.168.1.102, server: lyadmin.com, request: "GET / HTTP/1.1", host: "lyadmin.com"

然后我就怀疑到了防火墙，linux系统中防火墙有两个，一个是firewalld，另一个是SElinux。这两个分别起什么作用呢？

查看SELinux状态：
1、sestatus -v ##如果SELinux status参数为enabled即为开启状态
SELinux status: enabled
2、getenforce ##也可以用这个命令检查

关闭SELinux：
1、临时关闭（不用重启机器）：
##设置SELinux 成为permissive模式，一共有三种模式：

# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#     enforcing - SELinux security policy is enforced.#     permissive - SELinux prints warnings instead of enforcing.#     disabled - No SELinux policy is loaded.

第一种：enforcing 强制执行selinux的策略；
第二种：permissive 放宽执行selinux的策略，提示警告，相当于临时关闭SElinux防火墙，服务器重启之后防火墙依然生效;
第三种：disabled 彻底关闭selinux。
我们这里试一下第二种策略，临时关闭，看看是不是这个原因导致的。
命令如下：

setenforce 0     

setenforce 1 设置SELinux 成为enforcing模式

2、修改配置文件，需要重启机器：
修改/etc/selinux/config 文件，将SELINUX=enforcing改为SELINUX=disabled
这个操作需要重启机器！这就彻底关闭了selinux

查看selinux与http相关的各项布尔值：

[root@minimal ~]# getsebool -a |grep httphttpd_anon_write --> offhttpd_builtin_scripting --> onhttpd_can_check_spam --> offhttpd_can_connect_ftp --> offhttpd_can_connect_ldap --> offhttpd_can_connect_mythtv --> offhttpd_can_connect_zabbix --> offhttpd_can_network_connect --> onhttpd_can_network_connect_cobbler --> offhttpd_can_network_connect_db --> offhttpd_can_network_memcache --> offhttpd_can_network_relay --> offhttpd_can_sendmail --> offhttpd_dbus_avahi --> offhttpd_dbus_sssd --> offhttpd_dontaudit_search_dirs --> offhttpd_enable_cgi --> onhttpd_enable_ftp_server --> offhttpd_enable_homedirs --> onhttpd_execmem --> offhttpd_graceful_shutdown --> onhttpd_manage_ipa --> offhttpd_mod_auth_ntlm_winbind --> offhttpd_mod_auth_pam --> offhttpd_read_user_content --> offhttpd_run_ipa --> offhttpd_run_preupgrade --> offhttpd_run_stickshift --> offhttpd_serve_cobbler_files --> offhttpd_setrlimit --> offhttpd_ssi_exec --> offhttpd_sys_script_anon_write --> offhttpd_tmp_exec --> offhttpd_tty_comm --> offhttpd_unified --> offhttpd_use_cifs --> offhttpd_use_fusefs --> offhttpd_use_gpg --> offhttpd_use_nfs --> onhttpd_use_openstack --> offhttpd_use_sasl --> offhttpd_verify_dns --> offnamed_tcp_bind_http_port --> offprosody_bind_http_port --> off

该开的都开启了，但是还是不能解决nginx的那个跨目录访问的问题，如果谁有更好的办法，记得给我留言哦！

关于SELinux官方解释：

selinux(8)                                         SELinux Command Line documentation                                         selinux(8)NAME       SELinux - NSA Security-Enhanced Linux (SELinux)DESCRIPTION       NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux oper‐       ating system.  The SELinux architecture provides general support for the enforcement of many kinds of  mandatory  access  control       policies,  including  those  based  on  the  concepts of Type Enforcement®, Role- Based Access Control, and Multi-Level Security.       Background information and technical documentation about SELinux can be found at http://www.nsa.gov/research/selinux.       The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and if enabled, whether SELinux oper‐       ates  in  permissive mode or enforcing mode.  The SELINUX variable may be set to any one of disabled, permissive, or enforcing to       select one of these options.  The disabled option completely disables the SELinux kernel and application code, leaving the system       running without any SELinux protection.  The permissive option enables the SELinux code, but causes it to operate in a mode where       accesses that would be denied by policy are permitted but audited.  The enforcing option enables the SELinux code and  causes  it       to  enforce  access  denials as well as auditing them.  Permissive mode may yield a different set of denials than enforcing mode,       both because enforcing mode will prevent an operation from proceeding past the first denial and  because  some  application  code       will fall back to a less privileged mode of operation if denied access.       The  /etc/selinux/config configuration file also controls what policy is active on the system.  SELinux allows for multiple poli‐       cies to be installed on the system, but only one policy may be active at any given time.  At present, multiple kinds  of  SELinux       policy  exist:  targeted, mls for example.  The targeted policy is designed as a policy where most user processes operate without       restrictions, and only specific services are placed into distinct security domains that are confined by the policy.  For example,       the  user would run in a completely unconfined domain while the named daemon or apache daemon would run in a specific domain tai‐       lored to its operation.  The MLS (Multi-Level Security) policy is designed as a policy where all processes are  partitioned  into       fine-grained  security  domains  and  confined by policy.  MLS also supports the Bell And LaPadula model, where processes are not       only confined by the type but also the level of the data.       You can define which policy you will run by setting the SELINUXTYPE environment variable within  /etc/selinux/config.   You  must       reboot and possibly relabel if you change the policy type to have it take effect on the system.  The corresponding policy config‐       uration for each such policy must be installed in the /etc/selinux/{SELINUXTYPE}/ directories.       A given SELinux policy can be customized further based on a set of compile-time tunable options and a set of runtime policy bool‐       eans.  system-config-selinux allows customization of these booleans and tunables.       Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy.FILE LABELING       All files, directories, devices ... have a security context/label associated with them.  These context are stored in the extended       attributes of the file system.  Problems with SELinux often arise from the file system being mislabeled. This can  be  caused  by       booting  the  machine with a non SELinux kernel.  If you see an error message containing file_t, that is usually a good indicator       that you have a serious problem with file system labeling.       The best way to relabel the file system is to create the flag file /.autorelabel and  reboot.   system-config-selinux,  also  has       this capability.  The restorecon/fixfiles commands are also available for relabeling files.AUTHOR       This manual page was written by Dan Walsh <dwalsh@redhat.com>.FILES       /etc/selinux/configSEE ALSO       booleans(8), setsebool(8), sepolicy(8), system-config-selinux(8), togglesebool(8), fixfiles(8), restorecon(8), setfiles(8),       semanage(8), sepolicy(8), seinfo(8), sesearch(8)       Every confined service on the system has a man page in the following format:       <servicename>_selinux(8)