nginx says forbidden, user nginx at fedora

https://stackoverflow.com/questions/23602265

20-07-2023
|

문제

I'm confused

2014/05/12 09:36:51 [error] 25928#0: *1 open() "/home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages/test.html" failed (13: Permission denied), client: 128.68.154.57, server: localhost, request: "GET /test.html HTTP/1.1"

here is permissions

[root@vsfedora OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64]# namei -l /home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages/test.html
f: /home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages/test.html
dr-xr-xr-x root root /
drwxr-xr-x root root home
drwxrwx--- dev  dev  dev
drwxr-xr-x dev  dev  OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64
drwxr-xr-x dev  dev  packages
-rw-rw-r-- dev  dev  test.html

here is group

dev:x:1000:nginx

nginx worker process working as nginx user

[root@vsfedora ~]# ps aux|grep nginx
root     26494  0.0  0.3 111588  3796 ?        Ss   11:07   0:00 nginx: master process /usr/sbin/nginx
nginx    26495  0.0  0.5 111932  5116 ?        S    11:07   0:00 nginx: worker process

server section in nginx.conf:

server {
        location / {
        autoindex  on;
        root /usr/share/nginx/html;
}

symlink is also fine

lrwxrwxrwx. 1 0 0   65 May 12 10:10 packages -> /home/dev/OpenWrt-ImageBuilder-brcm47xx-for-linux-x86_64/packages

해결책

it's a SELinux issue

tail /var/log/audit/audit.log

type=AVC msg=audit(1399879586.183:2081199): avc:  denied  { search } for  pid=26495 comm="nginx" name="dev" dev="dm-1" ino=269277 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1399879586.183:2081199): arch=c000003e syscall=2 success=no exit=-13 a0=7fdd65ed2219 a1=800 a2=0 a3=0 items=0 ppid=26494 pid=26495 auid=4294967295 uid=996 gid=1000 euid=996 suid=996 fsuid=996 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)

detailed explanation and resolution can be found here

다른 팁

Per documentation on user directive, nginx uses group name equal to user name if you omit group name. So you have to explicitly use user nginx dev; in your nginx.conf.

라이센스 : CC-BY-SA ~와 함께 속성

제휴하지 않습니다 StackOverflow