Hello,
thanks for trying me to help.
Yes, the sestatus is enabled:
- Code: Select all
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
If I set the "setenforce 0", than it is working!! - Code: Select all
[root@images2 ~]# setenforce 0
[root@images2 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
There is an error in the log:
- Code: Select all
type=AVC msg=audit(1420555412.784:47): avc: denied { search } for pid=3386 comm="nginx" name="omero" dev=dm-0 ino=1325803 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1420555412.784:47): arch=c000003e syscall=4 success=no exit=-13 a0=17dc081 a1=7fffa7cf5410 a2=7fffa7cf5410 a3=0 items=0 ppid=3385 pid=3386 auid=0 uid=494 gid=492 euid=494 suid=494 fsuid=494 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="nginx" exe="/usr/sbin/nginx" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1420555412.786:48): avc: denied { name_connect } for pid=3386 comm="nginx" dest=4080 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1420555412.786:48): arch=c000003e syscall=42 success=no exit=-13 a0=a a1=17dd6f8 a2=10 a3=7fffa7cf52a0 items=0 ppid=3385 pid=3386 auid=0 uid=494 gid=492 euid=494 suid=494 fsuid=494 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="nginx" exe="/usr/sbin/nginx" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
After installing the sealert (yum install setroubleshoot):
SELinux is preventing /usr/sbin/nginx from name_connect access on the tcp_socket.
and
SELinux is preventing /usr/sbin/nginx from search access on the directory /home/omero.
According that details, that I need to modify the port type:
- Code: Select all
If you want to allow /usr/sbin/nginx to connect to network port 4080
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 4080
where PORT_TYPE is one of the following: ldap_port_t, dns_port_t, http_port_t, ocsp_port_t, kerberos_port_t.
...
and
- Code: Select all
If you want to allow httpd to read user content
Then you must tell SELinux about this by enabling the 'httpd_read_user_content'boolean.
Do
setsebool -P httpd_read_user_content 1
...
It seams, that I have to change the context of the var dir ... Am I right?
.. I am going to try it on my testing install
. I will post my results.