Pages

Wednesday, 22 January 2014

SElinux的奇葩问题

折腾apache正向代理,需要把代理端口单独分离出来。首先选择82,只是调试而已。嗯嗯…启动后就报奇葩错误了:

    (13)Permission denied: make_sock: could not bind to address [::]:82
    (13)Permission denied: make_sock: could not bind to address 0.0.0.0:82
    no listening sockets available, shutting down

这啥奇葩情况?没遇到过啊。因为昨天才在另一台弄来着,半信半疑执行下netstat -anp|grep 82,结果…

    unix 6 [ ] DGRAM 5827 1871/syslogd /dev/log

好吧我终于想起了1024以下端口不能随便用,我换…换8282总行了吧?结果…

    (13)Permission denied: make_sock: could not bind to address [::]:8282
    (13)Permission denied: make_sock: could not bind to address 0.0.0.0:8282
    no listening sockets available, shutting down
    (13)Permission denied: make_sock: could not bind to address [::]:32323
    (13)Permission denied: make_sock: could not bind to address 0.0.0.0:32323
    no listening sockets available, shutting down

我勒个去,坑爹也不带这么坑的啊!iptables确定关了,再netstat -anp|grep 32323、netstat -anp|grep 8282确定没程序占用这2个端口。只好无助地求助万能的google,结果就是这台机器启用了selinux,需要把端口加进规则里,否则不放行。据说selinux是加固系统用的,系统本来就很安全了加上这个总感觉像win7加了UAC一样蛋疼。没辙,懒得关了,关了还得重启,查查怎么用吧。

首先用semanage port -l | grep http列出全部http相关的端口规则:

    http_cache_port_t tcp 3128, 8080, 8118, 11211, 10001-10010
    http_cache_port_t udp 3130, 11211
    http_port_t tcp 80, 443, 488, 8008, 8009, 8443
    pegasus_http_port_t tcp 5988
    pegasus_https_port_t tcp 5989

好吧原来还有8008、8009、8443这几个没见过的端口,不管了先加上自己的,执行semanage port -a -t http_port_t -p tcp 32323,然后apache满血原地复活!~

最后带上semanage的用法,有空学学:http://hi.baidu.com/leowang715/blog/item/021bf91330489545f819b8b2.html