Posts under category Linux笔记

Modifying SElinux configure for allowing nginx reverse proxy local site

Read about audit2allow and used it to create a policy to allow access to the denied requests for nginx.

    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -m nginxlocalconf > nginxlocalconf.te
    [root]# cat nginxlocalconf.te 
    module nginxlocalconf 1.0;
    require {
        type httpd_t;
        type var_t;
        type transproxy_port_t;
        class tcp_socket name_connect;
        class file { read getattr open };
    #============= httpd_t ==============
    #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
    allow httpd_t transproxy_port_t:tcp_socket name_connect;
    allow httpd_t var_t:file { read getattr open };
    [root]# sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M nginxlocalconf
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    semodule -i nginxlocalconf.pp
    [root]# semodule -i nginxlocalconf.pp

Explaining command su

Running a command with substitute user is the typical use of command su under linux.

Sometimes, use -s option to running the specified shell instead of the default, this option may helps a lot when need to access user whose default shell is /sbin/nologin, usage like su -s /bin/bash jenkins

Explaining file /ets/sudoers

/ets/sudoers configure user(s) who can get root privileges under linux.
440 permission is on this file by default, so chmod +w operation is required before modify file, don't forget chmod -w once modified.

Some typical configs are as follow:

allow jenkins user restart uwsgi service via systemd:

jenkins     ALL  = NOPASSWD    : /bin/systemctl restart uwsgi


user        host = need passwd?: command 1, shell 2, ...

allow moon user access sudo privileges unconditional:

moon    ALL=(ALL)       NOPASSWD: ALL


然后更新镜像 yum makecache

- Read More -