linux网站权限一直自动关闭,奇妙伞-解决SELinux对网站目录权限控制的不当的问题--网上摘抄集合，记录使用...

1.检查httpd的错误日志。默认情况下日志就存在在/var/log/httpd/目录中。

[root@localhost ~]# grep Permission /var/log/httpd/error_log

[Tue Apr 10 09:07:04 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied

[Tue Apr 10 09:07:50 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied

[Tue Apr 10 09:08:07 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied

[Tue Apr 10 09:10:06 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied

[Tue Apr 10 09:11:08 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied

[Tue Apr 10 09:11:17 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied

[Tue Apr 10 09:11:34 2012] [error] [client ::1] (13)Permission denied: access to /start denie

2.再检查网站目录和文件的权限。为方便起见直接用-lZ选项。用于显示详细信息和SELinux权限信息

ls -lZ

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 archive.html

drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog

drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog_backup

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog.htm

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog.html

drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 css

drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 home_page

drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 home_start #问题行

drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 images

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.htm

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 info_php.php

drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 js

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 log

drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 php #以前的遗留问题

drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 phpMyAdmin-3.4.10.1-all-languages

drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 PSDs

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 readme.txt

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 style.htm

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 style.html

3.再查看selinx的工作状态，判断是不是SELinux引起的。

[root@localhost httpd]# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   enforcing

Mode from config file:          enforcing

Policy version:                 24

Policy from config file:        targeted

这就是导致网站权限不正确的原因。

4.所以使用chcon更改SELinux权限以及显示结果如下：

setenforce 0 #必须暂时停止SELinux，否则可能导致操作失败。

chcon -t httpd_sys_content_t -R /var/www/html/home_start/ #R参数是递归操作的意思

经过修改就会发现SELinux的对应权限已经和其他目录相同了！都是httpd_sys_content_t。

[root@localhost html]# setenforce --help

usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]

[root@localhost html]# setenforce 0

[root@localhost html]# cd

[root@localhost ~]# ls /var/www/html/ -Z

……

drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 home_start

……

[root@localhost ~]# chcon -t httpd_sys_content_t -R /var/www/html/home_start/

[root@localhost ~]# ls /var/www/html/home_start/ -Z

……

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 authorize.php

……

然后，再次打开浏览器输入地址，验证能否访问，如果可以访问就可以进行下一步配置了！

-----------------------------------------------------------------------------------------

# sesearch -A -s httpd_t -b httpd_can_network_relay

Found 10 semantic av rules:

allow httpd_t gopher_port_t : tcp_socket name_connect ;

allow httpd_t http_cache_client_packet_t : packet { send recv } ;

allow httpd_t ftp_port_t : tcp_socket name_connect ;

allow httpd_t ftp_client_packet_t : packet { send recv } ;

allow httpd_t http_client_packet_t : packet { send recv } ;

allow httpd_t squid_port_t : tcp_socket name_connect ;

allow httpd_t http_cache_port_t : tcp_socket name_connect ;

allow httpd_t http_port_t : tcp_socket name_connect ;

allow httpd_t gopher_client_packet_t : packet { send recv } ;

allow httpd_t memcache_port_t : tcp_socket name_connect ;

-------------

# semanage port -l | grep http_port_t

http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

--------------

# semanage port -a -t http_port_t -p tcp 8082

-------------

# semanage port -a -t http_port_t -p tcp 8080

/usr/sbin/semanage: Port tcp/8080 already defined

# semanage port -l | grep 8080

http_cache_port_t              tcp      3128, 8080, 8118, 8123, 10001-10010

-----------

# sesearch -A -s httpd_t -b httpd_can_network_connect

Found 1 semantic av rules:

allow httpd_t port_type : tcp_socket name_connect ;

----------

# seinfo -aport_type -x

--------------------------------------------------------------------

# chcon -v --type=httpd_sys_content_t /www/t.txt

# semanage fcontext -a -t httpd_sys_content_t /www/t.txt

# restorecon -v /www/t.txt

# semanage fcontext -a -t httpd_sys_content_t /www(/.*)?

# restorecon -Rv /www

# grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx.te

# cat nginx.te

module nginx 1.0;

require {

type httpd_t;

type default_t;

type http_cache_port_t;

class tcp_socket name_connect;

class file { read getattr open };

}

#============= httpd_t ==============

allow httpd_t default_t:file { read getattr open };

#!!!! This avc can be allowed using one of the these booleans:

#     httpd_can_network_relay, httpd_can_network_connect

allow httpd_t http_cache_port_t:tcp_socket name_connect;

# grep nginx /var/log/audit/audit.log | audit2allow -M nginx

# semodule -i nginx.pp

# semodule -l | grep nginx

nginx 1.0