install
- リポジトリ追加してインストール
# vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
# yum install nginx
selinux有効な環境でPermission denied
systemctrl start nginxした時に下記エラーで起動できない場合
2018/01/30 19:52:00 [emerg] 4954#4954: open() "/var/run/nginx.pid" failed (13: Permission denied)
- 拒否ログからselinuxのポリシー作ってインストールする
# yum install policycoreutils-python
# grep "denied" /var/log/audit/audit.log
type=AVC msg=audit(1517341920.540:924): avc: denied { read write } for pid=4954 comm="nginx" name="nginx.pid" dev="tmpfs" ino=33864 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
#
# cat /var/log/audit/audit.log | audit2allow -m nginx_read-write > nginx_read-write.te
# cat nginx_read-write.te
module nginx_read-write 1.0;
require {
type var_run_t;
type httpd_t;
class file { read write };
}
#============= httpd_t ==============
#!!!! WARNING 'httpd_t' is not allowed to write or create to var_run_t. Change the label to httpd_var_run_t.
allow httpd_t var_run_t:file { read write };
#
# checkmodule -M -m -o nginx_read-write.mod nginx_read-write.te
checkmodule: loading policy configuration from nginx_read-write.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 17) to nginx_read-write.mod
#
# semodule_package -o nginx_read-write.pp -m nginx_read-write.mod
# semodule -i nginx_read-write.pp
# semodule -l | grep nginx
nginx_read-write 1.0
もっといい方法がありそうな気がする。。
