nginx与SElinux
来源:互联网 发布:python马踏棋盘算法 编辑:程序博客网 时间:2024/06/05 08:12
前言:
[root@minimal ~]# cat /etc/redhat-releaseCentOS Linux release 7.3.1611 (Core)[root@minimal ~]# nginx -vnginx version: nginx/1.12.1
在设置nginx虚拟机的时候,路径,php解析、文件权限都已经配置好了,但还是出现访问受限,查看nginx错误日志(www-data是nginx所在的用户和用户组);
查看文件及文件夹权限:
[root@minimal ~]# ll /www/drwxr-xr-x. 11 www-data www-data 275 7月 18 18:30 lyadmin[root@minimal ~]# ll -a / |grep wwdrwxr-xr-x. 3 www-data www-data 21 7月 18 18:11 www
查看服务器开放的端口:
[root@minimal ~]# firewall-cmd --list-ports3306/tcp 9000/tcp 80/tcp 25/tcp
查看nginx错误日志:
[root@minimal ~]# tailf /var/log/nginx/error.log
2017/07/19 10:01:05 [error] 1515#1515: *1 "/www/lyadmin/index.php" is forbidden (13: Permission denied), client: 192.168.1.102, server: lyadmin.com, request: "GET / HTTP/1.1", host: "lyadmin.com"
然后我就怀疑到了防火墙,linux系统中防火墙有两个,一个是firewalld,另一个是SElinux。这两个分别起什么作用呢?
查看SELinux状态:
1、sestatus -v ##如果SELinux status参数为enabled即为开启状态
SELinux status: enabled
2、getenforce ##也可以用这个命令检查
关闭SELinux:
1、临时关闭(不用重启机器):
##设置SELinux 成为permissive模式,一共有三种模式:
# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.
第一种:enforcing 强制执行selinux的策略;
第二种:permissive 放宽执行selinux的策略,提示警告,相当于临时关闭SElinux防火墙,服务器重启之后防火墙依然生效;
第三种:disabled 彻底关闭selinux。
我们这里试一下第二种策略,临时关闭,看看是不是这个原因导致的。
命令如下:
setenforce 0
setenforce 1 设置SELinux 成为enforcing模式
2、修改配置文件,需要重启机器:
修改/etc/selinux/config 文件,将SELINUX=enforcing改为SELINUX=disabled
这个操作需要重启机器!这就彻底关闭了selinux
查看selinux与http相关的各项布尔值:
[root@minimal ~]# getsebool -a |grep httphttpd_anon_write --> offhttpd_builtin_scripting --> onhttpd_can_check_spam --> offhttpd_can_connect_ftp --> offhttpd_can_connect_ldap --> offhttpd_can_connect_mythtv --> offhttpd_can_connect_zabbix --> offhttpd_can_network_connect --> onhttpd_can_network_connect_cobbler --> offhttpd_can_network_connect_db --> offhttpd_can_network_memcache --> offhttpd_can_network_relay --> offhttpd_can_sendmail --> offhttpd_dbus_avahi --> offhttpd_dbus_sssd --> offhttpd_dontaudit_search_dirs --> offhttpd_enable_cgi --> onhttpd_enable_ftp_server --> offhttpd_enable_homedirs --> onhttpd_execmem --> offhttpd_graceful_shutdown --> onhttpd_manage_ipa --> offhttpd_mod_auth_ntlm_winbind --> offhttpd_mod_auth_pam --> offhttpd_read_user_content --> offhttpd_run_ipa --> offhttpd_run_preupgrade --> offhttpd_run_stickshift --> offhttpd_serve_cobbler_files --> offhttpd_setrlimit --> offhttpd_ssi_exec --> offhttpd_sys_script_anon_write --> offhttpd_tmp_exec --> offhttpd_tty_comm --> offhttpd_unified --> offhttpd_use_cifs --> offhttpd_use_fusefs --> offhttpd_use_gpg --> offhttpd_use_nfs --> onhttpd_use_openstack --> offhttpd_use_sasl --> offhttpd_verify_dns --> offnamed_tcp_bind_http_port --> offprosody_bind_http_port --> off
该开的都开启了,但是还是不能解决nginx的那个跨目录访问的问题,如果谁有更好的办法,记得给我留言哦!
关于SELinux官方解释:
selinux(8) SELinux Command Line documentation selinux(8)NAME SELinux - NSA Security-Enhanced Linux (SELinux)DESCRIPTION NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux oper‐ ating system. The SELinux architecture provides general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role- Based Access Control, and Multi-Level Security. Background information and technical documentation about SELinux can be found at http://www.nsa.gov/research/selinux. The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and if enabled, whether SELinux oper‐ ates in permissive mode or enforcing mode. The SELINUX variable may be set to any one of disabled, permissive, or enforcing to select one of these options. The disabled option completely disables the SELinux kernel and application code, leaving the system running without any SELinux protection. The permissive option enables the SELinux code, but causes it to operate in a mode where accesses that would be denied by policy are permitted but audited. The enforcing option enables the SELinux code and causes it to enforce access denials as well as auditing them. Permissive mode may yield a different set of denials than enforcing mode, both because enforcing mode will prevent an operation from proceeding past the first denial and because some application code will fall back to a less privileged mode of operation if denied access. The /etc/selinux/config configuration file also controls what policy is active on the system. SELinux allows for multiple poli‐ cies to be installed on the system, but only one policy may be active at any given time. At present, multiple kinds of SELinux policy exist: targeted, mls for example. The targeted policy is designed as a policy where most user processes operate without restrictions, and only specific services are placed into distinct security domains that are confined by the policy. For example, the user would run in a completely unconfined domain while the named daemon or apache daemon would run in a specific domain tai‐ lored to its operation. The MLS (Multi-Level Security) policy is designed as a policy where all processes are partitioned into fine-grained security domains and confined by policy. MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data. You can define which policy you will run by setting the SELINUXTYPE environment variable within /etc/selinux/config. You must reboot and possibly relabel if you change the policy type to have it take effect on the system. The corresponding policy config‐ uration for each such policy must be installed in the /etc/selinux/{SELINUXTYPE}/ directories. A given SELinux policy can be customized further based on a set of compile-time tunable options and a set of runtime policy bool‐ eans. system-config-selinux allows customization of these booleans and tunables. Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy.FILE LABELING All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system. Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling. The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-selinux, also has this capability. The restorecon/fixfiles commands are also available for relabeling files.AUTHOR This manual page was written by Dan Walsh <dwalsh@redhat.com>.FILES /etc/selinux/configSEE ALSO booleans(8), setsebool(8), sepolicy(8), system-config-selinux(8), togglesebool(8), fixfiles(8), restorecon(8), setfiles(8), semanage(8), sepolicy(8), seinfo(8), sesearch(8) Every confined service on the system has a man page in the following format: <servicename>_selinux(8)
- nginx与SElinux
- nginx访问selinux权限问题
- NGINX: SELinux 13:permission denied
- Apache 与SELinux
- SELinux管理与配置
- svn与SELinux
- selinux与httpd
- SELinux与FTP
- SELinux管理与配置
- SElinux 配置与管理
- SELinux配置与使用
- nginx权限403 500问题 及Selinux
- Samba与SELinux冲突问题
- linux进程管理与SELinux
- 程序管理与SELinux初探
- SeLinux与Vsftp 的关系!
- 进程管理与SELinux初探
- SELinux与SEAndroid(一)
- 基于Redis实现邮费存储
- Object.observer数据双向绑定详解!
- J2EE进阶之tomcat服务器搭建,HTTP协议 八
- VS2013 glaux环境配置+opengl配置
- leetcode 436. Find Right Interval
- nginx与SElinux
- Android常用工具之加密方式
- 问题集锦——(一)Android Studio的Gradle添加重复依赖的问题
- sprintf
- InsertItem中使用SetRedraw
- unity初学一
- JavaWeb中的九大内置对象概述
- \Perhaps you are running on a JRE rather than a JDK?
- php 跨域 form提交 2种方法