Ovear's Blog

I'am Ovear,Ovear is me.

Theme Refrain made by Eiko

Proudly powered by WordPress

SElinux的奇葩问题

转自:新のBlog(http://xinwo.sinaapp.com/program-can-not-listen-port/)

今天折腾apache正向代理,需要把代理端口单独分离出来。首先选择82,只是调试而已。嗯嗯…启动后就报奇葩错误了:

(13)Permission denied: make_sock: could not bind to address [::]:82
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:82
no listening sockets available, shutting down

这啥奇葩情况?没遇到过啊。因为昨天才在另一台弄来着,半信半疑执行下netstat -anp|grep 82,结果…

unix 6 [ ] DGRAM 5827 1871/syslogd /dev/log

好吧我终于想起了1024以下端口不能随便用,我换…换8282总行了吧?结果…

(13)Permission denied: make_sock: could not bind to address [::]:8282
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:8282
no listening sockets available, shutting down
(13)Permission denied: make_sock: could not bind to address [::]:32323
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:32323
no listening sockets available, shutting down

我勒个去,坑爹也不带这么坑的啊!iptables确定关了,再netstat -anp|grep 32323、netstat -anp|grep 8282确定没程序占用这2个端口。只好无助地求助万能的google,结果就是这台机器启用了selinux,需要把端口加进规则里,否则不放行。据说selinux是加固系统用的,系统本来就很安全了加上这个总感觉像win7加了UAC一样蛋疼。没辙,懒得关了,关了还得重启,查查怎么用吧。

首先用semanage port -l | grep http列出全部http相关的端口规则:

http_cache_port_t tcp 3128, 8080, 8118, 11211, 10001-10010
http_cache_port_t udp 3130, 11211
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

好吧原来还有8008、8009、8443这几个没见过的端口,不管了先加上自己的,执行semanage port -a -t http_port_t -p tcp 32323,然后apache满血原地复活!~
感谢这位博主提供命令:http://www.zzxj.net/blog/fxs_2008/archive/2010/07/05/187.html
最后带上semanage的用法,有空学学:http://hi.baidu.com/leowang715/blog/item/021bf91330489545f819b8b2.html

SElinux的奇葩问题有 4 条评论

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

© 2024 Ovear's Blog All rights reserved.