RHEL 5 安装nginx以及配置SELINUX POLICY
1. 安装EPEL，启用RHEL的附加软件包
$ sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-2.noarch.rpm
上面的i386可以替换成x86_64
2. 安装nginx
$ sudo yum install -y nginx
配置信息增加
$ cat /etc/nginx/fastcgi.conf
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

3.安装lighttpd-fastcgi和php-cli以及其它软件包
$ sudo yum install -y lighttpd-fastcgi
4.由于nginx和php-cgi不在SELINUX 的policy里面，为了安全和简单将nginx和php-cgi进程domain设置为httpd_t
$ sudo chcon system_u:object_r:httpd_exec_t /usr/sbin/nginx
$ sudo chcon system_u:object_r:httpd_exec_t /usr/bin/php-cgi
$ sudo chcon -t httpd_config_t -R /etc/nginx
$ sudo chcon -t httpd_cache_t -R /var/lib/nginx
$sudo chcon -t httpd_log_t -R /var/log/nginx
$sudo /usr/sbin/setsebool -P httpd_can_network_connect=1

5.创建phpcgi启动脚本
$ cat /etc/init.d/phpcgi
#!/bin/sh
#
# php-cgi - this script starts and stops the php-cgi daemin
#
# chkconfig: - 85 15
# description: Fast CGI php
# processname: php-cgi
# config: /etc/php.ini
# pidfile: /var/run/php-cgi.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

phpcgi="/usr/bin/php-cgi"
prog=$(basename ${phpcgi})

FCGIPORT="8888"
FCGIADDR="127.0.0.1"
FCGIUSER="apache"
FCGIGROUP="apache"
PHP_FCGI_CHILDREN=5
PHP_FCGI_MAX_REQUESTS=1000
export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS

[ -e /etc/sysconfig/php-cgi ] && . /etc/sysconfig/php-cgi

lockfile=/var/lock/subsys/php-cgi

start() {
echo -n $"Starting $prog: "
/usr/bin/spawn-fcgi -a $FCGIADDR  -p $FCGIPORT -C $PHP_FCGI_CHILDREN -u $FCGIUSER -g $FCGIGROUP -P /var/run/php-cgi.pid -f "${phpcgi}" >> /
dev/null 2>&1
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}

stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}

restart() {
stop
start
}

force_reload() {
restart
}

fdr_status() {
status $prog
}

case "$1" in
start|stop|restart)
$1
;;
status)
fdr_status
;;
condrestart|try-restart)
[ ! -f $lockfile ] || restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|try-restart|force-reload}"
exit 2
esac
$ sudo /sbin/chkconfig --add phpcgi
$ sudo /sbin/chkconfig --level 345 phpcgi on
$ sudo /sbin/chkconfig --level 345 nginx on
5.启动
$ sudo /sbin/service phpcgi start
$ sudo /sbin/service nginx start
6.解决audit错误
$ sudo cat /var/log/audit/audit.log| audit2allow -M local
$ sudo /usr/sbin/semodule -i