SELinux は /usr/sbin/nginx が /etc/ld.so.cache ファイルにアクセスするのを防ぎます。

奇妙なSElinuxの問題が発生しました。sudo systemctl restart nginxSElinuxでNginxを再起動すると、enforcingサーバーがブロックされ、Webサイトがクラッシュし、サーバーのCPU負荷が70〜90％に達します。permissiveSElinuxモードでNginxを再起動すると、すべてが期待どおりに機能します。

コマンドを実行すると、sudo journalctl -p err -b | grep -i selinux2つのSElinuxアラートを受け取りましたSELinux is preventing /usr/sbin/nginx from execute access on the file /etc/ld.so.cache（SELinux is preventing /usr/sbin/nginx from map access on the chr_file /dev/zero詳細については以下を参照）。

/etc/ld.so.cacheについて：

ls -laZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache

新しいキャッシュファイルを実行するとsudo ldconfigすぐに作成されます。/etc/ld.so.cacheldconfig

ldconfig --version
ldconfig (GNU libc) 2.17

ldconfig_selinuxマニュアルページによるとLD構成

The ldconfig processes execute with the ldconfig_t SELinux type. You can check if you have these processes running by executing the ps command with the -Z qualifier.

For example:

ps -eZ | grep ldconfig_t

しかし、上記のコマンドを実行すると、grepは何も返しません。これはおそらく重要ではないでしょう。しかし、私はそれを言及しなければならないと思いました。

また、ファイル権限を次のように変更してみました。sudo chmod 0755 /etc/ld.so.cacheそれも動作しませんでしたsudo chmod 0750 /etc/ld.so.cache。

編集：ここに私のNginxシステムスクリプトのコピーがあります。

sudo vi /usr/lib/systemd/system/nginx.service

[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target

SELinux警告：

SELinux is preventing /usr/sbin/nginx from execute access on the file /etc/ld.so.cache.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nginx should be allowed execute access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:ld_so_cache_t:s0
Target Objects                /etc/ld.so.cache [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           nginx-1.15.7-1.x86_64
Target RPM Packages           glibc-2.17-260.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   35
First Seen                    2019-03-02 16:08:25 GMT
Last Seen                     2019-03-07 12:08:18 GMT
Local ID                      2bd8aa83-8ba0-49fa-83f8-7f5924ad194c

Raw Audit Messages
type=AVC msg=audit(1551960498.942:1179942): avc:  denied  { execute } for  pid=28695 comm="nginx" path="/etc/ld.so.cache" dev="sda2" ino=9177558 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1551960498.942:1179942): arch=x86_64 syscall=mmap per=400000 success=no exit=EACCES a0=0 a1=a942 a2=1 a3=2 items=0 ppid=1 pid=28695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,ld_so_cache_t,file,execute

-----------------------

SELinux is preventing /usr/sbin/nginx from map access on the chr_file /dev/zero.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nginx should be allowed map access on the zero chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:zero_device_t:s0
Target Objects                /dev/zero [ chr_file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           nginx-1.15.7-1.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   83
First Seen                    2019-03-02 16:08:25 GMT
Last Seen                     2019-03-07 12:08:19 GMT
Local ID                      4155f3e6-d77d-479b-9642-b90b4512e49a

Raw Audit Messages
type=AVC msg=audit(1551960499.20:1179949): avc:  denied  { map } for  pid=28695 comm="nginx" path="/dev/zero" dev="devtmpfs" ino=2053 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1551960499.20:1179949): arch=x86_64 syscall=mmap per=400000 success=no exit=EACCES a0=0 a1=48000 a2=3 a3=1 items=0 ppid=1 pid=28695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,zero_device_t,chr_file,map