為什麼Selinux阻止我的Apache/nginx服務？

SELinux通常因權限問題阻止Apache或Nginx服務，解決方法包括設置文件上下文、允許非標準端口及調整策略。 1. 若更改了默認文檔根目錄導致訪問被拒，需使用chcon和semanage設置正確的SELinux上下文；2. 若使用非標準端口（如8080），需通過semanage添加端口至允許列表；3. 文件上下文錯誤可通過restorecon恢復默認上下文；4. 若SELinux處於強制模式且策略未調優，可臨時禁用以確認問題，並通過audit2allow定制策略模塊優化規則。

SELinux blocks Apache or Nginx services usually because of permission issues — either the web server is trying to access files it's not allowed to, or it's trying to bind to a port that isn't permitted by default. It's not about bugs in your config necessarily — more like SELinux doing its job enforcing policies.

Here are the most common reasons and how to deal with them.

1. Web server can't access custom document root

If you changed the default DocumentRoot in Apache or root directory in Nginx to something other than /var/www/html , SELinux might block access.

• Check if this is the issue :
  Run grep httpd /var/log/audit/audit.log | audit2why (for Apache) or replace httpd with nginx for Nginx. If you see a message like “denied { read }”, that probably means file context issues.

• Fix it :
  You need to set the correct SELinux context on your new directory. For example:

   chcon -t httpd_sys_content_t /path/to/your/webroot

  Or for writable content (like uploads):

   chcon -t httpd_sys_rw_content_t /path/to/upload/dir

  To make this persistent after reboot:

   semanage fcontext -a -t httpd_sys_content_t "/path/to/your/webroot(/.*)?"
  restorecon -Rv /path/to/your/webroot

2. Trying to use a non-standard port

By default, SELinux allows Apache/Nginx to listen only on port 80 and 443. If you configured your server to run on another port (say 8080 or 8000), SELinux will block it.

• How to confirm :
  Again, check the audit log:

   grep nginx /var/log/audit/audit.log | audit2why

  Look for messages about binding to a port being denied.

• How to fix :

  Add the port to the allowed list for the service:

   semanage port -a -t http_port_t -p tcp 8080

  Now restart your service and SELinux won't complain anymore.

3. File permissions and contexts are off

Even if you didn't change the document root, sometimes the files themselves have incorrect SELinux context — especially if they were copied from somewhere else or uploaded via FTP/SFTP.

• Quick check :

  Run:

   ls -Z /var/www/html

  Make sure the context is something like system_u:object_r:httpd_sys_content_t:s0 .

• To fix :

  Restore default context:

   restorecon -v /var/www/html/index.html

  If things were copied in, better to reapply recursively:

   restorecon -Rv /var/www/html/

4. SELinux is in enforcing mode but you haven't tuned policies

Sometimes the issue isn't one specific thing — it's that SELinux is enabled and enforcing, and your service hasn't been fully adapted to run under its rules.

• Temporarily disable enforcement to test :

   setenforce 0

  Then try restarting Apache or Nginx. If it works now, you know SELinux is involved.

⚠️ Don't leave it disabled — just use this to confirm.

• Better approach : Use targeted policy modules or tweak existing ones using audit2allow if you're seeing repeated denials.

SELinux blocking your web server is usually down to file contexts or port restrictions. Once you know where to look, fixing it doesn't take long — basically just setting the right labels or allowing extra ports. Not too bad once you get the hang of it.

以上是為什麼Selinux阻止我的Apache/nginx服務？的詳細內容。更多資訊請關注PHP中文網其他相關文章！