1. 系统默认使用selinux,所以在项目中想要读写的目录,都得更改它们的安全上下文为HTTP请求可读写,例如日志文件夹,文件存储文件夹:
chcon -R -t httpd_sys_content_rw_t /home/files /home/log/php
2.同时,假定需要连接数据库之类的网络操作,还得开启HTTP可连接网络:
setsebool -P httpd_can_network_connect on
3.系统默认使用防火墙,且关闭了大多数端口,如需使用,需要重新开启端口:
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload
4.同时假如要为nginx等服务自定义端口,而不使用80, 443, 8443等常用端口,需要修改selinux端口限制:
添加端口:
semanage port -a -t http_port_t -p tcp 8888
删除端口:
semanage port -d -t http_port_t -p tcp 8888
5. 解决Selinux问题的终极方法
假如问题定位后,是selinux的问题。那么可以采取以下手段:
查询selnux日志
grep docker /var/log/messages
输出为:
Oct 17 10:40:25 seetacloud setroubleshoot: SELinux is preventing /usr/sbin/php-fpm from connectto access on the unix_stream_socket /run/docker.sock. For complete SELinux messages run: sealert -l 6f6c766c-a816-4cef-9283-4a7590663a30
Oct 17 10:40:25 seetacloud python: SELinux is preventing /usr/sbin/php-fpm from connectto access on the unix_stream_socket /run/docker.sock.#012#012***** Plugin catchall_boolean (89.3 confidence) suggests ******************#012#012If you want to enable cluster mode for daemons.#012Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean.#012#012Do#012setsebool -P daemons_enable_cluster_mode 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that php-fpm should be allowed connectto access on the docker.sock unix_stream_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm#012# semodule -i my-phpfpm.pp#012
可以看到,日志详细描述了selinux为何阻止了系统行为。同时,日志中也包含了建议的解决方案:
suggests
******************
If you want to enable cluster mode for daemons.
Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean.
Do
setsebool -P daemons_enable_cluster_mode 1