最近倒腾服务器的时候,选择了CentOS8操作系统,在安装配置Nginx的时候遇到了Permission Denied问题。按照chown和chmod进行配置无果,后来定位到SELinux问题。
When you upgrade a running system to Red Hat Enterprise Linux (RHEL) 6.6 or CentOS 6.6, the Security Enhanced Linux (SELinux) security permissions that apply to NGINX are relabelled to a much stricter posture. Although the permissions are adequate for the default configuration of NGINX, configuration for additional features can be blocked and you need to permit them explicitly in SELinux. This article describes the possible issues and recommended ways to resolve them.
# 安装
sudo yum install -y nginx
# 启动
systemctl start nginx.service
server {
listen 8081;
server_name localhost;
access_log /var/log/nginx/access.log main;
location / {
root /home/custom/web; # 自定义路径
index index.html index.htm;
systemctl start nginx
nginx # nginx命令启动
2018/09/18 23:41:37 [error] 1266#1266: *1 "/home/custom/web/index.html" is forbidden (13: Permission denied), client: xxx.xxx.xxx.xxx, server: localhost, request: "GET / HTTP/1.1", xxx.xxx.xxx.xxx:8081"
# /etc/nginx/nginx.conf
#user nginx;
user root;
worker_processes 1;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
ll -Zd /usr/share/nginx/html/
# drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /usr/share/nginx/html/
其中,system_u:object_r:httpd_sys_content_t:s0 是当前路径的安全上下文配置。 通过chcon命令,设置新的目录地址配置
chcon -Ru system_u /home/custom/web
chcon -Rt httpd_sys_content_t /home/custom/web
setenforce 0
systemctl start nginx
[root@localhost mgzy]# systemctl start nginx
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[root@localhost mgzy]# systemctl status nginx.service
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 三 2018-09-19 03:07:23 CST; 7s ago
Docs: http://nginx.org/en/docs/
Process: 12298 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
9月 19 03:07:23 localhost.localdomain systemd[1]: Starting nginx - high performance web server...
9月 19 03:07:23 localhost.localdomain nginx[12298]: nginx: [emerg] open() "/etc/nginx/none" failed (13: Permission denied)
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
9月 19 03:07:23 localhost.localdomain systemd[1]: Failed to start nginx - high performance web server.
9月 19 03:07:23 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service failed.
日志中,看到/etc/nginx/none文件,有点懵逼,但是Permission denied说明还是权限问题。此时通过nginx启动后,能够生成一个none文件。此时,需要执行如下命令:
# make the process type httpd_t permissive
semanage permissive -a httpd_t
# grep nginx /var/log/audit/audit.log | audit2allow -m nginx
module nginx 1.0;
require {
type httpd_t;
type unreserved_port_t;
type httpd_config_t;
class tcp_socket name_bind;
class file { append create };
class dir { add_name write };
#============= httpd_t ==============
allow httpd_t httpd_config_t:dir { add_name write };
allow httpd_t httpd_config_t:file { append create };