Seafile 在 Centos7 中不关闭 SELinux 的配置

neroxps · 2016 年11 月 5 日 05:53

Seafile 在 Centos7 中不关闭 SELinux 的配置

前言

seafile使用了nginx反代后,由于nginx受到SELinux的限制,无法读取用户生成的seafile里seahub的目录文件,故此需要修改seahub的上下文来使得nginx获得读取seahub的权限.

tail -f /var/log/audit/audit.log
type=AVC msg=audit(1478221314.101:84): avc:  denied  { read } for  pid=1947 comm="nginx" name="seafile-server-latest" dev="dm-2" ino=11 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1478221314.101:84): arch=c000003e syscall=2 success=no exit=-13 a0=124e640 a1=800 a2=0 a3=0 items=0 ppid=1943 pid=1947 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)

1. 开放nginx允许被访问

setsebool -P httpd_can_network_connect 1

2. 修改seahub文件上下文

ls -Z /seafile/seafile-server-latest/ |grep seahub
[root@localhost ~]# ls -Z /seafile/seafile-server-latest/ |grep seahub
drwxrwxr-x. 500 500 unconfined_u:object_r:unlabeled_t:s0 seahub
-rwxrwxr-x. 500 500 unconfined_u:object_r:unlabeled_t:s0 seahub.sh

修改前的上下文是unlabeled_t,nginx没有对他可读的权限故此需要修改seahub目录以及目录下所有文件为nginx可读.

chcon -R -t httpd_sys_content_t  /seafile/seafile-server-latest/seahub
[root@localhost ~]# ls -Z /seafile/seafile-server-latest/ |grep seahub
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 seahub
-rwxrwxr-x. 500 500 unconfined_u:object_r:unlabeled_t:s0 seahub.sh
[root@localhost ~]# ls -Z /seafile/seafile-server-latest/seahub
-rwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 code-check.sh
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 CONTRIBUTORS
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 fabfile
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 HACKING
-rwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 i18n.sh
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 latest_commit
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 LICENSE-thirdparty.txt
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 LICENSE.txt
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 locale
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 Makefile
-rwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 manage.py
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 media
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 pylintrc
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 pylintrc.template
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 pytest.ini
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 README.markdown
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 requirements.txt
-rwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 run-seahub.sh.template
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 seahub
-rwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 send_user_notifications.sh.template
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 setenv.sh.template
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 sql
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 static
-rw-rw-r--. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 test-requirements.txt
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 tests
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 thirdpart
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 tools

seahub目录和seahub目录下所有文件都修改为httpd_sys_content_t的上下文,nginx就可以读取了.

3. 修改seahub-data上下文

但是发现自定义的logo依然无法显示,因为seafile为了方便用户自定义logo和css,将logo和css都放在了seafile-server-latest之外.故此也需要定义seahub-data的上下文.

[root@localhost ~]# ls -Z /seafile/seahub-data
drwxrwxr-x. 500 500 unconfined_u:object_r:unlabeled_t:s0 avatars
[root@localhost ~]# chcon -R -t httpd_sys_content_t  /seafile/seahub-data
[root@localhost ~]# ls -Z /seafile/seahub-data                           
drwxrwxr-x. 500 500 unconfined_u:object_r:httpd_sys_content_t:s0 avatars

4.修改seafile-server-latest连接的上下文

经过上面三步依然存在问题,发现nginx无法通过连接seafile-server-latest读取.

chcon -R -t httpd_sys_content_t  /seafile/seafile-server-latest

这样,seafile就可以无需关闭SELinux也可以顺畅的运行了.

总结

其实就四条命令

setsebool -P httpd_can_network_connect 1
chcon -R -t httpd_sys_content_t  /seafile/seafile-server-latest/seahub
chcon -R -t httpd_sys_content_t  /seafile/seahub-data
chcon -R -t httpd_sys_content_t  /seafile/seafile-server-latest

参考文献

鸟哥私房菜(第三册)第七章、网络安全与主机基本防护：限制端口, 网络升级与 SELinux

lins05 · 2016 年11 月 5 日 09:49

赞。不过每次升级之后也需要运行一下第二条和第四条。因为 seafile-server-latest 是一个指向最新版本 (比如 seafile-server-6.0.5) 的符号链接，下次升级之后可能就指向 seafile-server-6.0.6 了。

neroxps · 2016 年11 月 5 日 10:02

谢谢管理员提醒，我想也是其实还可以自建上下文策略但是好像不支持软连接所以暂时研究不出又啥更好的办法，不知道各位高手有没有更好方法？