SELinux

SELinux

关注
发信
关注(28)粉丝(399)

python - 如何在Enforcecing模式下使用SELinux运行Flask + Nginx + uWSGI?

我正在跟随this tutorial在Nginx服务器上运行Flask。我几乎可以正常工作了,其中,当SELinux设置为Permissive时,页面会加载,但是当SELinux处于502 Bad Gateway模式时,页面会显示Enforcing

以下是一些相关文件:

myproject.ini 

[uwsgi]
module = wsgi

master = true
processes = 5

socket = myproject.sock
chmod-socket = 660
vacuum = true

die-on-term = true

myproject.service 
[Unit]
Description=uWSGI instance to serve myproject
After=network.target

[Service]
User=thisuser
Group=nginx
WorkingDirectory=/home/thisuser/public_html
Environment="PATH=/home/thisuser/thisuser_env/bin"
ExecStart=/home/thisuser/thisuser_env/bin/uwsgi --ini myproject.ini

[Install]
WantedBy=multi-user.target

thisuser.com.conf (Nginx配置)
server {
    listen  80;

    server_name thisuser.com www.thisuser.com;
    access_log /home/thisuser/logs/access.log;
    error_log /home/thisuser/logs/error.log;

    location / {
        include uwsgi_params;
        uwsgi_pass unix:/home/thisuser/public_html/myproject.sock;
        try_files $uri $uri/ =404;
    }

}

Flask文件+目录的位置为/home/thisuser/,其上下文设置如下:
[root@dev ~]# ls -ldZ /home/thisuser/
drwx--x--x. thisuser thisuser unconfined_u:object_r:user_home_dir_t:s0 /home/thisuser/
[root@dev ~]# ls -ldZ /home/thisuser/public_html/
drwxrwxr-x. thisuser thisuser unconfined_u:object_r:httpd_sys_content_t:s0 /home/thisuser/public_html/

错误如下:

/var/log/audit/audit.log 
type=AVC msg=audit(1498880449.864:156): avc:  denied  { write } for  pid=2667 comm="nginx" name="myproject.sock" dev="dm-2" ino=67165858 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1498880449.864:156): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7f526e12e548 a2=6e a3=7ffdf52991b0 items=0 ppid=2666 pid=2667 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)



/home/thisuser/logs/error.log 
2017/06/30 23:40:49 [crit] 2667#0: *1 connect() to unix:/home/thisuser/public_html/myproject.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.1.15, server: thisuser.com, request: "GET / HTTP/1.1", upstream: "uwsgi://unix:/home/thisuser/public_html/myproject.sock:", host: "thisuser.com"

尝试的步骤:
  • 尝试将 socks 权限更改为chmod-socket = 666
  • 用过的setsebool -P httpd_can_network_connect 1
  • user=thisuser更改为user=nginx
  • 已将thisuser添加到nginx


    • 唯一有效的方法是将SELinux更改为Permissive。我可以进行一些更改/添加,以便SELinux保持Enforcing吗?

    编辑:http(s)中已允许 firewalld
    [root@dev ~]# firewall-cmd --permanent --zone=public --add-service=https
[root@dev ~]# firewall-cmd --permanent --zone=public --add-service=http
[root@dev ~]# firewall-cmd --reload

    最佳答案

    不知道下面的方法是否可以使用,但是:

  • 套接字需要与httpd_sys_content_rw_t类型相关联,以便与httpd_t相关联的进程可以将其写入。创建“myproject/runtime”,并将类型httpd_sys_content_rw_t与“runtime”相关联,以便使用httpd_sys_content_rw_t type
    • 创建套接字
  • 使systemd手动将uwsgi app进程与httpd_sys_script_t类型相关联,以便SELinux将Webapp定位为目标(不确定是否允许systemd照此策略进行操作)

    • 要点是:
    avc:  denied  { write } for  pid=2667 comm="nginx" name="myproject.sock" dev="dm-2" ino=67165858 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file

    指示与类型httpd_t相关联的Nginx进程不允许写入myproject.sock sock文件,因为该文件与“只读” httpd系统内容类型相关联。

    它应该已经与“读和写” httpd系统内容类型相关联。
    INI:
    [uwsgi]
module = wsgi

master = true
processes = 5

socket = /home/thisuser/public_html/myproject/runtime/myproject.sock
chmod-socket = 660
vacuum = true

die-on-term = true

    单元:
    [Unit]
Description=uWSGI instance to serve myproject
After=network.target

[Service]
User=thisuser
Group=nginx
WorkingDirectory=/home/thisuser/public_html/myproject
Environment="PATH=/home/thisuser/thisuser_env/bin"
ExecStart=/home/thisuser/thisuser_env/bin/uwsgi --ini myproject.ini
SELinuxContext=system_u:system_r:httpd_sys_script_t:s0

[Install]
WantedBy=multi-user.target

    conf:
    server {
    listen  80;

    server_name thisuser.com www.thisuser.com;
    access_log /home/thisuser/logs/access.log;
    error_log /home/thisuser/logs/error.log;

    location / {
        include uwsgi_params;
        uwsgi_pass unix:/home/thisuser/public_html/myproject/runtime/myproject.sock;
        try_files $uri $uri/ =404;
    }

}

    关联标签:
    chcon -t httpd_sys_script_exec_t /home/thisuser/thisuser_env/bin/uwsgi
chcon -Rt httpd_sys_content_rw_t /home/thisuser/public_html/myproject/runtime

    关于python - 如何在Enforcecing模式下使用SELinux运行Flask + Nginx + uWSGI?,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/44857223/

    10-12 16:48
    Powered by LMLPHP ©2024 SELinux 0.045646