背景

最近倒腾服务器的时候，选择了CentOS7操作系统，在安装配置Nginx的时候遇到了Permission Denied问题。按照chown和chmod进行配置无果，后来定位到SELinux问题。

SELinux是什么？

When you upgrade a running system to Red Hat Enterprise Linux (RHEL) 6.6 or CentOS 6.6, the Security Enhanced Linux (SELinux) security permissions that apply to NGINX are relabelled to a much stricter posture. Although the permissions are adequate for the default configuration of NGINX, configuration for additional features can be blocked and you need to permit them explicitly in SELinux. This article describes the possible issues and recommended ways to resolve them.

Nginx安装

按照如下配置，是可以正常启动nginx，并且访问到nginx的欢迎页面。

# 添加nginx源
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# 安装
sudo yum install -y nginx
# 启动
systemctl start nginx.service

自定义配置

配置文件地址：

/etc/nginx/nginx.conf

自定义配置文件通常放到conf.d目录下：

$nginx_conf/conf.d/default.conf

添加自定义项目配置

server {
 listen 8081;
 server_name localhost;
 access_log /var/log/nginx/access.log main;
 location / {
 root /home/custom/web; # 自定义路径
 index index.html index.htm;
 }
}

此时再启动nginx程序，发现无法正常启动。

systemctl start nginx

于是，使用nginx命令启动，启动正常，但是访问页面出现403权限问题。

nginx # nginx命令启动

403权限问题日志，可以查看到日志信息。

2018/09/18 23:41:37 [error] 1266#1266: *1 "/home/custom/web/index.html" is forbidden (13: Permission denied), client: xxx.xxx.xxx.xxx, server: localhost, request: "GET / HTTP/1.1", xxx.xxx.xxx.xxx:8081"

通过网上查找资料，大家解决方法是使用root用户启动。需要修改nginx.conf文件。

# /etc/nginx/nginx.conf
#user nginx;
user root;
worker_processes 1;
http {
 include /etc/nginx/mime.types;
 default_type application/octet-stream;
	......
}

SELinux下如何配置

这样用root用户启动程序，在生产环境下是强烈不建议的，存在很大的安全问题。所以需要继续研究SELinux开启下，如何进行配置。

在默认仓库下，nginx能够正常启动。查看文件路径信息，

ll -Zd /usr/share/nginx/html/
# drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /usr/share/nginx/html/

其中，system_u:object_r:httpd_sys_content_t:s0 是当前路径的安全上下文配置。 通过chcon命令，设置新的目录地址配置

chcon -Ru system_u /home/custom/web
chcon -Rt httpd_sys_content_t /home/custom/web

此时，将user设置回nginx，并且关闭SELinux下，是能够正常访问的。

setenforce 0
systemctl start nginx

但是，当开启SELinux的时候，启动，出现如下错误日志：

[root@localhost mgzy]# systemctl start nginx
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[root@localhost mgzy]# systemctl status nginx.service
● nginx.service - nginx - high performance web server
 Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
 Active: failed (Result: exit-code) since 三 2018-09-19 03:07:23 CST; 7s ago
 Docs: http://nginx.org/en/docs/
 Process: 12298 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
9月 19 03:07:23 localhost.localdomain systemd[1]: Starting nginx - high performance web server...
9月 19 03:07:23 localhost.localdomain nginx[12298]: nginx: [emerg] open() "/etc/nginx/none" failed (13: Permission denied)
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
9月 19 03:07:23 localhost.localdomain systemd[1]: Failed to start nginx - high performance web server.
9月 19 03:07:23 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service failed.

日志中，看到/etc/nginx/none文件，有点懵逼，但是Permission denied说明还是权限问题。此时通过nginx启动后，能够生成一个none文件。此时，需要执行如下命令：

# make the process type httpd_t permissive
semanage permissive -a httpd_t

至此，在SELinux下，配置nginx能够正常工作。

其他说明

通过如下命令能够查看到nginx依赖的安全信息。

# grep nginx /var/log/audit/audit.log | audit2allow -m nginx
module nginx 1.0;
require {
	type httpd_t;
	type unreserved_port_t;
	type httpd_config_t;
	class tcp_socket name_bind;
	class file { append create };
	class dir { add_name write };
}
#============= httpd_t ==============
allow httpd_t httpd_config_t:dir { add_name write };
allow httpd_t httpd_config_t:file { append create };