1,增加官方源使用rpm安装。需要功能不多没采用源码编译。
- vi /etc/yum.repos.d/nginx.repo
- [nginx]
- name=nginx repo
- baseurl=
- gpgcheck=0
- enabled=1
- 或直接安装rpm:
- rpm -Uvh
2,安装 yum install nginx (默认已建nologin类的nginx帐号)
3,修改服务文件
- vi /usr/lib/systemd/system/nginx.service
- [Service]
- User=nginx //使用nginx启动进程
- LimitNOFILE=12000
- PIDFile=/var/log/nginx/nginx.pid //修改到和日志同目录(方便后面非root用户运行se策略控制) 或 直接删除由nginx.conf里指定
- #user nginx;
-
chown nginx:root /var/log/nginx //修改权限
- open() "/var/log/nginx/nginx.pid" failed (13: Permission denied)
- 查看audit日志并设置selinux
- grep nginx /var/log/audit/audit.log | audit2allow -M nginx-pid //如缺少命令需要安装 yum install policycoreutils-python
- cat nginx-pid.te
- allow httpd_t httpd_log_t:file write //httpd_log_t //类型需要写权限
- semodule -i nginx-pid.pp //导入
- vi nginx-rwx.te
- -------------------------------------------------------------te内容
- #模块 nginx-rwx-httpd_log_t 名称
- module nginx-rwx-httpd_log_t 1.0;
- require {
- type httpd_log_t;
- type httpd_t;
- class dir { read remove_name setattr };
- class file { rename write unlink };
- }
- #============= httpd_t ==============
- #!!!! This avc is allowed in the current policy
- allow httpd_t httpd_log_t:dir { read remove_name setattr };
- allow httpd_t httpd_log_t:file { write unlink rename};
- --------------------------------------------------------------
- checkmodule -M -m -o nginx-rwx.mod nginx-rwx.te //-M启用mls兼容 -m 基本。载入te文件生成mod文件。
- semodule_package -o nginx-rwx.pp -m nginx-rwx.mod //mod转成pp文件
- semodule -i nginx-rwx.pp //载入模块
- bind() to 0.0.0.0:28901 failed (13: Permission denied)
7,再次重启nginx服务,运行正常。
访问反向代理出现目录权限错误
- mkdir() "/usr/share/nginx/proxy_cache" failed (13: Permission denied)
- cd /usr/share/nginx && mkdir proxy_temp proxy_cache
- chown nginx:root proxy_* && chmod 770 proxy*
- chcon -u system_u proxy_*
- open() "/usr/share/nginx/proxy_temp/0000000003" failed (13: Permission denied)
-
-
ls -Z /usr/share/nginx/ //查看目录上下文
drwxr-xr-x. root root system_u:object_r:usr_t:s0 html
drwxrwx---. nginx root unconfined_u:object_r:usr_t:s0 proxy_cache
drwxrwx---. nginx root unconfined_u:object_r:usr_t:s0 proxy_temp -
- chcon system_u:object_r:httpd_log_t:s0 proxy_* //修改权限
-
-
ls -Z /usr/share/nginx/ //再次查看 (我只做反向代理 html web主目录用不上,权限就不管了)
drwxr-xr-x. root root system_u:object_r:usr_t:s0 html
drwxrwx---. nginx root system_u:object_r:httpd_log_t:s0 proxy_cache
drwxrwx---. nginx root system_u:object_r:httpd_log_t:s0 proxy_temp
- unlink() "/usr/share/nginx/proxy_temp/0000000004"
- rename() "/usr/share/nginx/proxy_temp/0000000004"
- setrlimit(RLIMIT_NOFILE, 12000) failed (1: Operation not permitted)
查看nginx打开文件最大初始值是否生效:
- cat /proc/$(cat /var/log/nginx/nginx.pid)/limits|grep open.files
- \ps --ppid $(cat /var/log/nginx/nginx.pid) -o %p|sed '1d'|xargs -I {} cat /proc/{}/limits|grep open.files
另外: setsebool -P httpd_setrlimit 1
8,ulimit 设置部分:ulimit -a
- vi /etc/security/limits.conf
- * soft nofile 20000
- * hard nofile 20000
- * soft nproc 20000
- * hard nproc 20000
- vi /etc/pam.d/login
- session required /usr/lib64/security/pam_limits.so
附:
- audit2allow -i /var/log/audit/audit.log //读入文件分析
- audit2allow -d //使用 -d 选项,可以接收 dmesg 的信息
- audit2allow -w -a //自动读audit.log并给出注释
- ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -w //搜索范围内
- ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -a -M test_rule //搜索范围并生成
- ausearch -m AVC | grep -E 'rename|module_request' | audit2allow -a //多字符匹配+去重
- audit2why
- .
-
sesearch -A|grep "allow httpd_t httpd_log_t" //查看策略权限