SELinux는 /usr/sbin/nginx가 /etc/ld.so.cache 파일에 액세스하는 것을 방지합니다.

이상한 SElinux 문제가 발생했습니다. sudo systemctl restart nginxSElinux로 Nginx를 다시 시작 하면 enforcing서버가 막혀 웹 사이트가 중단되고 서버 CPU 로드가 70-90%에 도달합니다. permissiveSElinux 모드에서 Nginx를 다시 시작 하면 모든 것이 예상대로 작동합니다.

명령을 실행하면 sudo journalctl -p err -b | grep -i selinux2개의 SElinux 경고를 받았습니다 SELinux is preventing /usr/sbin/nginx from execute access on the file /etc/ld.so.cache( SELinux is preventing /usr/sbin/nginx from map access on the chr_file /dev/zero자세한 내용은 아래 참조).

/etc/ld.so.cache 정보:

ls -laZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache

새 캐시 파일을 실행하면 sudo ldconfig즉시 생성됩니다./etc/ld.so.cacheldconfig

ldconfig --version
ldconfig (GNU libc) 2.17

ldconfig_selinux매뉴얼 페이지 에 따르면LD 구성

The ldconfig processes execute with the ldconfig_t SELinux type. You can check if you have these processes running by executing the ps command with the -Z qualifier.

For example:

ps -eZ | grep ldconfig_t

그러나 위 명령을 실행하면 grep은 아무것도 반환하지 않습니다. 이것은 아마도 중요하지 않을 것입니다. 그러나 나는 그것을 언급해야 한다고 생각했습니다.

또한 파일 권한을 다음과 같이 변경해 보았습니다. sudo chmod 0755 /etc/ld.so.cache그것도 작동하지 않았습니다 sudo chmod 0750 /etc/ld.so.cache.

편집: 여기 내 Nginx 시스템 스크립트 사본이 있습니다.

sudo vi /usr/lib/systemd/system/nginx.service

[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target

SELinux 경고:

SELinux is preventing /usr/sbin/nginx from execute access on the file /etc/ld.so.cache.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nginx should be allowed execute access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:ld_so_cache_t:s0
Target Objects                /etc/ld.so.cache [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           nginx-1.15.7-1.x86_64
Target RPM Packages           glibc-2.17-260.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   35
First Seen                    2019-03-02 16:08:25 GMT
Last Seen                     2019-03-07 12:08:18 GMT
Local ID                      2bd8aa83-8ba0-49fa-83f8-7f5924ad194c

Raw Audit Messages
type=AVC msg=audit(1551960498.942:1179942): avc:  denied  { execute } for  pid=28695 comm="nginx" path="/etc/ld.so.cache" dev="sda2" ino=9177558 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1551960498.942:1179942): arch=x86_64 syscall=mmap per=400000 success=no exit=EACCES a0=0 a1=a942 a2=1 a3=2 items=0 ppid=1 pid=28695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,ld_so_cache_t,file,execute

-----------------------

SELinux is preventing /usr/sbin/nginx from map access on the chr_file /dev/zero.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nginx should be allowed map access on the zero chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:zero_device_t:s0
Target Objects                /dev/zero [ chr_file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           nginx-1.15.7-1.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   83
First Seen                    2019-03-02 16:08:25 GMT
Last Seen                     2019-03-07 12:08:19 GMT
Local ID                      4155f3e6-d77d-479b-9642-b90b4512e49a

Raw Audit Messages
type=AVC msg=audit(1551960499.20:1179949): avc:  denied  { map } for  pid=28695 comm="nginx" path="/dev/zero" dev="devtmpfs" ino=2053 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1551960499.20:1179949): arch=x86_64 syscall=mmap per=400000 success=no exit=EACCES a0=0 a1=48000 a2=3 a3=1 items=0 ppid=1 pid=28695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,zero_device_t,chr_file,map