Modifying SElinux configure for allowing nginx reverse proxy local site
Read about audit2allow and used it to create a policy to allow access to the denied requests for nginx.
[root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te
[root]# cat nginxlocalconf.te
module nginxlocalconf 1.0;
require {
type httpd_t;
type var_t;
type transproxy_port_t;
class tcp_socket name_connect;
class file { read getattr open };
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t transproxy_port_t:tcp_socket name_connect;
allow httpd_t var_t:file { read getattr open };
[root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M nginxlocalconf
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i nginxlocalconf.pp
[root]# semodule -i nginxlocalconf.pp
To allow http server to connect local DB, like mysql, do as fllows:
# setsebool -P httpd_can_network_connect 1
# setsebool -P httpd_can_network_connect_db 1
To allow nginx(or apache, php-fpm, etc...) to write/read some dir, do as fllows:
semanage fcontext -a -t httpd_sys_rw_content_t "/path(/.*)?"
restorecon -r /path
How to fix permission denied under Linux with SELinux:
update-wordpress-with-selinux-enabled
install-wordpress-centos-7
滕老师抄来的笔记(手动狗头保命)