配置selinux策略加固nginx
默认情况下,SELinux没有保护Nginx Web服务器,可以手动配置进行保护,首先安装SELinux编译时需要的支持包:
# yum -y install selinux-policy-targeted selinux-policy-devel
从主页(http://sourceforge.net/projects/selinuxnginx/)下载SELinux策略:
#cd /root/install && wget http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc
# tar zxf se-ngix_1_0_10.tar.gz
# cd se-ngix_1_0_10/nginx
# make
输出示例:
[root@bogon nginx]# make
Compiling targeted nginx module
/usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx.mod
Creating targeted nginx.pp policy package
rm tmp/nginx.mod.fc tmp/nginx.mod
安装生成的nginx.pp SELinux模块:
# /usr/sbin/semodule -i nginx.pp
# yum -y install selinux-policy-targeted selinux-policy-devel
从主页(http://sourceforge.net/projects/selinuxnginx/)下载SELinux策略:
#cd /root/install && wget http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc
# tar zxf se-ngix_1_0_10.tar.gz
# cd se-ngix_1_0_10/nginx
# make
输出示例:
[root@bogon nginx]# make
Compiling targeted nginx module
/usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx.mod
Creating targeted nginx.pp policy package
rm tmp/nginx.mod.fc tmp/nginx.mod
安装生成的nginx.pp SELinux模块:
# /usr/sbin/semodule -i nginx.pp
评论: