Modifying SElinux configure for allowing nginx reverse proxy local site

Read about audit2allow and used it to create a policy to allow access to the denied requests for nginx.

    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te
    [root]# cat nginxlocalconf.te 
    
    module nginxlocalconf 1.0;
    
    require {
        type httpd_t;
        type var_t;
        type transproxy_port_t;
        class tcp_socket name_connect;
        class file { read getattr open };
    }
    
    #============= httpd_t ==============
    
    #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
    allow httpd_t transproxy_port_t:tcp_socket name_connect;
    allow httpd_t var_t:file { read getattr open };
    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M nginxlocalconf
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    
    semodule -i nginxlocalconf.pp
    
    [root]# semodule -i nginxlocalconf.pp

To allow http server to connect local DB, like mysql, do as fllows:

# setsebool -P httpd_can_network_connect 1
# setsebool -P httpd_can_network_connect_db 1

To allow nginx(or apache, php-fpm, etc...) to write/read some dir, do as fllows:

semanage fcontext -a -t httpd_sys_rw_content_t "/path(/.*)?"
restorecon -r /path

see kuddusic.wordpress.com


How to fix permission denied under Linux with SELinux:
update-wordpress-with-selinux-enabled
install-wordpress-centos-7

Tag: none

Only one comment

  1. Violet Zhou Violet Zhou

    滕老师抄来的笔记(手动狗头保命)

Leave a new comment