启用S​​ELinux后proxy_pass不起作用，为什么? [英] proxy_pass isn't working when SELinux is enabled, why?

问题描述

我有一个应用程序在端口8081上侦听，而Nginx在端口8080上运行.代理pass语句如下所示:

I'm having an application listening on port 8081 and Nginx running on port 8080. The proxy pass statement looks like:

$ cat /var/etc/opt/lj/output/services/abc.servicemanager.conf

location /api/abc.servicemanager/1.0 { proxy_pass     http://localhost:8081;}

在nginx.conf中，我将此文件包括为:

In nginx.conf, I include this file as:

include /etc/nginx/conf.d/services/*.conf;

/etc/nginx/conf.d/service是符号链接:

# ll /etc/nginx/conf.d/

lrwxrwxrwx. 1 root root   39 Dec 10 00:19 services -> ../../../var/etc/opt/lj/output/services

这是一个启用CentOS 7.0 SELinux的系统.如果我setenforce 0并将其设置为允许"，则看不到任何问题.因此，该文件位于正确的位置，并且路径没有问题.如果SELinux正在执行，我会在审核日志中看到以下内容:

This is a CentOS 7.0 SELinux Enabled system. If I setenforce 0, and make it Permissive, I don't see any issues. So the file is in right place and no issues with paths. If SELinux is enforcing, I see the following in audit log:

type=AVC msg=audit(1418348761.372:100930): avc:  denied  { getattr } for  pid=3936 comm="nginx" path="/var/etc/opt/lj/output/services/abc.servicemanager.conf" dev="xvda1" ino=11063393 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

我想知道如何启用Nginx来查找conf文件，而不必禁用SELinux.

I want to know how to enable Nginx to find the conf file without having to disable SELinux.

推荐答案

阅读有关audit2allow的信息，并使用其创建允许访问Nginx拒绝请求的策略.

Read about audit2allow and used it to create a policy to allow access to the denied requests for Nginx.

第1步涉及运行针对nginxlocalconf的audit2allow:

Step 1 involves running audit2allow targeting nginxlocalconf:

$ sudo grep nginx /var/log/audit/audit.log | \
     grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te

第2步，查看结果:

$ cat nginxlocalconf.te 

module nginxlocalconf 1.0;

require {
    type httpd_t;
    type var_t;
    type transproxy_port_t;
    class tcp_socket name_connect;
    class file { read getattr open };
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t transproxy_port_t:tcp_socket name_connect;
allow httpd_t var_t:file { read getattr open };

查看激活步骤:

$ sudo grep nginx /var/log/audit/audit.log | grep denied | \
   audit2allow -M nginxlocalconf
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i nginxlocalconf.pp

第3步，处于活动状态:

Step 3, active:

$ sudo semodule -i nginxlocalconf.pp

这篇关于启用S​​ELinux后proxy_pass不起作用，为什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！