selinux报错

思路如下

Created with Raphaël 2.2.0首先判断是否为selinux导致应用无法使用关闭selinux后查看应用是否正常是 或 否?不影响最后开启selinux查看查看其他方面是否配置有问题。影响调整selinux策略yesno

实操演示

[root@sinfotek html]# getenforce 
Permissive
[root@sinfotek html]# setenforce 1
[root@sinfotek html]# getenforce 
Enforcing
[root@sinfotek html]# tail -f /var/log/messages
Oct 19 16:34:55 sinfotek setroubleshoot: SELinux is preventing /usr/sbin/nginx from read access on the file time.html. For complete SELinux messages run: sealert -l 8947f5f0-c55d-4741-bcdb-5defd11ca48a
Oct 19 16:34:55 sinfotek python: SELinux is preventing /usr/sbin/nginx from read access on the file time.html.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that nginx should be allowed read access on the time.html file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'nginx' --raw | audit2allow -M my-nginx#012# semodule -i my-nginx.pp#012
Oct 19 16:34:55 sinfotek setroubleshoot: failed to retrieve rpm info for /usr/share/nginx/html/time.html
Oct 19 16:34:55 sinfotek setroubleshoot: SELinux is preventing /usr/sbin/nginx from getattr access on the file /usr/share/nginx/html/time.html. For complete SELinux messages run: sealert -l 1b3ee1ef-ce2b-42e4-b09d-86e2823fe78b
Oct 19 16:34:55 sinfotek python: SELinux is preventing /usr/sbin/nginx from getattr access on the file /usr/share/nginx/html/time.html.#012#012*****  Plugin restorecon (99.5 confidence) suggests   ************************#012#012If you want to fix the label. #012/usr/share/nginx/html/time.html default label should be httpd_sys_content_t.#012Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.#012Do#012# /sbin/restorecon -v /usr/share/nginx/html/time.html#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that nginx should be allowed getattr access on the time.html file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'nginx' --raw | audit2allow -M my-nginx#012# semodule -i my-nginx.pp#012
##查看selinux日志并根据日志提示修改对应文件标签。
[root@sinfotek html]# sealert -l 1b3ee1ef-ce2b-42e4-b09d-86e2823fe78b
SELinux is preventing /usr/sbin/nginx from getattr access on the 文件 /usr/share/nginx/html/time.html.

*****  插件 restorecon (99.5 置信度) 建议  ******************************************

如果要修复标签。/usr/share/nginx/html/time.html默认标签应该是 httpd_sys_content_t。
Then 你可以运行restorecon。由于访问父目录的权限不足,可能已停止访问尝试,在这种情况下尝试相应地更改以下命令。
Do
# /sbin/restorecon -v /usr/share/nginx/html/time.html

*****  插件 catchall (1.49 置信度) 建议  ********************************************

如果你相信 nginx应该允许_BASE_PATH getattr 访问 time.html file默认情况下。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
暂时允许此访问权限执行:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


更多信息:
源环境 (Context)                 system_u:system_r:httpd_t:s0
目标环境                          unconfined_u:object_r:admin_home_t:s0
目标对象                          /usr/share/nginx/html/time.html [ file ]
源                             nginx
源路径                           /usr/sbin/nginx
端口                            <Unknown>
主机                            sinfotek
源 RPM 软件包                     nginx-1.22.0-1.el7.ngx.x86_64
目标 RPM 软件包                    
策略 RPM                        selinux-policy-3.13.1-252.el7.noarch
Selinux 已启用                   True
策略类型                          targeted
强制模式                          Permissive
主机名                           sinfotek
平台                            Linux sinfotek 3.10.0-1062.el7.x86_64 #1 SMP Wed
                              Aug 7 18:08:02 UTC 2019 x86_64 x86_64
警报计数                          1
第一个                           2022-10-19 16:34:53 CST
最后一个                          2022-10-19 16:34:53 CST
本地 ID                         1b3ee1ef-ce2b-42e4-b09d-86e2823fe78b

原始核查信息
type=AVC msg=audit(1666168493.690:13591): avc:  denied  { getattr } for  pid=28854 comm="nginx" path="/usr/share/nginx/html/time.html" dev="dm-0" ino=36575606 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1666168493.690:13591): arch=x86_64 syscall=fstat success=yes exit=0 a0=d a1=7fff2b5d4080 a2=7fff2b5d4080 a3=5593fe6d7708 items=0 ppid=28847 pid=28854 auid=4294967295 uid=987 gid=981 euid=987 suid=987 fsuid=987 egid=981 sgid=981 fsgid=981 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,admin_home_t,file,getattr

[root@sinfotek html]# /sbin/restorecon -v /usr/share/nginx/html/time.html
/sbin/restorecon reset /usr/share/nginx/html/time.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
文档更新时间: 2022-10-19 16:56   作者:xiubao yan