启用SELinux后proxy_pass不起作用,为什么? [英] proxy_pass isn't working when SELinux is enabled, why?
问题描述
我有一个应用程序在端口8081上侦听,而Nginx在端口8080上运行.代理pass语句如下所示:
I'm having an application listening on port 8081 and Nginx running on port 8080. The proxy pass statement looks like:
$ cat /var/etc/opt/lj/output/services/abc.servicemanager.conf
location /api/abc.servicemanager/1.0 { proxy_pass http://localhost:8081;}
在nginx.conf
中,我将此文件包括为:
In nginx.conf
, I include this file as:
include /etc/nginx/conf.d/services/*.conf;
/etc/nginx/conf.d/service
是符号链接:
# ll /etc/nginx/conf.d/
lrwxrwxrwx. 1 root root 39 Dec 10 00:19 services -> ../../../var/etc/opt/lj/output/services
这是一个启用CentOS 7.0 SELinux的系统.如果我setenforce 0
并将其设置为允许",则看不到任何问题.因此,该文件位于正确的位置,并且路径没有问题.如果SELinux正在执行,我会在审核日志中看到以下内容:
This is a CentOS 7.0 SELinux Enabled system. If I setenforce 0
, and make it Permissive, I don't see any issues. So the file is in right place and no issues with paths. If SELinux is enforcing, I see the following in audit log:
type=AVC msg=audit(1418348761.372:100930): avc: denied { getattr } for pid=3936 comm="nginx" path="/var/etc/opt/lj/output/services/abc.servicemanager.conf" dev="xvda1" ino=11063393 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
我想知道如何启用Nginx来查找conf文件,而不必禁用SELinux.
I want to know how to enable Nginx to find the conf file without having to disable SELinux.
推荐答案
阅读有关audit2allow的信息,并使用其创建允许访问Nginx拒绝请求的策略.
Read about audit2allow and used it to create a policy to allow access to the denied requests for Nginx.
第1步涉及运行针对nginxlocalconf的audit2allow
:
Step 1 involves running audit2allow
targeting nginxlocalconf:
$ sudo grep nginx /var/log/audit/audit.log | \
grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te
第2步,查看结果:
$ cat nginxlocalconf.te
module nginxlocalconf 1.0;
require {
type httpd_t;
type var_t;
type transproxy_port_t;
class tcp_socket name_connect;
class file { read getattr open };
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t transproxy_port_t:tcp_socket name_connect;
allow httpd_t var_t:file { read getattr open };
查看激活步骤:
$ sudo grep nginx /var/log/audit/audit.log | grep denied | \
audit2allow -M nginxlocalconf
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i nginxlocalconf.pp
第3步,处于活动状态:
Step 3, active:
$ sudo semodule -i nginxlocalconf.pp
这篇关于启用SELinux后proxy_pass不起作用,为什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!