本文详细介绍了如何使用SELinux的semanage工具解决Apache修改端口后无法正常启动的问题。通过添加端口权限,使得Apache能够正确绑定到指定端口,确保服务稳定运行。
在很多情况下,用户修改apache端口的时候,只修改了配置文件端口,还是不会成功的饿,会出现端口绑定失败,请坚持下SELINUX的配置信息,用命令semanage如果出现命令不存在,就这样解决
semanage SELinux Command Not Found
命令:
# yum provides /usr/sbin/semanage 或者输入 # yum whatprovides/usr/sbin/semanage
然后再输入命令安装 # yum -y install policycoreutils-python
安装成功后查看现在的支持http的端口有哪些
#semanage port -l|grep http
为http服务添加新的端81
#semanage port -a -t http_port_t -p tcp81
查看添加的结果
#semanage port -l|grephttp
n Fedora Core 5/6 and RHEL 5. We have made it easier tocustomize certain common parts of SELinux. In previous releases ofSELinux if you wanted to change simple things like which port adaemon could listen to, you would need to write policy. Now we havethe
semanage utility.
SELinux assigns types to all network ports on a system. By defaultall ports are less then 1024 are labeled reserved_port_t and allports > 1024 are labeled port_t. If a port isassigned to a particular type
say the http port 80, it has an assigned type of http_port_t. Ifyou want to look at all the assigned ports in SELinux, you can usethe semanage tool, semanage port -l.
So if you executed
semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
Here we see http_port_t is assigned to ports 80, 443, 488, 8008,8009, 8443
The policy is written to allow httpd_t http_port_t:tcp_socketname_bind;
This means the apache command can "bind" to an port that is labeledhttp_port_t.
So lets say you want to run httpd on port 81.
So you edit /etc/httpd/http.conf
and change this line
Listen 80
to
Listen 81
Now restart the daemon.
service httpd restart
Stopping httpd: [ OK ]
Starting httpd: (13)Permission denied: make_sock: could not bind toaddress [::]:81
(13)Permission denied: make_sock: could not bind to address0.0.0.0:81
no listening sockets available, shutting down
Unable to open logs
[FAILED]
Now the daemon fails to start because it can not bind to port81.
This generates an AVC that looks like
----
time->Tue Dec 12 17:37:49 2006
type=SYSCALL msg=audit(1165963069.248:852): arch=40000003syscall=102 success=no exit=-13 a0=2 a1=bf96a830 a2=b5b1e8a3=9e58b68 items=0 ppid=21133 pid=21134 auid=3267 uid=0 gid=0euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts10 comm="httpd"exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0key=(null)
type=AVC msg=audit(1165963069.248:852): avc: denied { name_bind }for pid=21134 comm="httpd" src=81scontext=user_u:system_r:httpd_t:s0tcontext=system_u:object_r:reserved_port
To fix this you can use semanage to add the port
semanage port -a -t http_port_t -p tcp81
service httpd start
Starting httpd: [ OK ]
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
