Sno*_*rex 2 nginx selinux centos7
好奇什么是 soundd 守护进程。http://wiki.centos.org/TipsAndTricks/SelinuxBooleans的 wiki 说它是“soundd 守护进程”,但我在互联网上没有找到太多其他信息。
为了让 nginx(配置为绑定在 unix 套接字上)以 systemctl 启动,我需要在 httpd_t 上向 soundd_port_t:tcp_socket 添加类型强制规则。进一步来说:
sudo systemctl status nginx.service
失败并显示消息:
nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled)
Active: failed (Result: exit-code) since Mon 2015-07-13 19:53:57 EDT; 7s ago
Process: 2699 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: [emerg] bind() to 0.0.0.0:8000 failed (13: Permissi...ied)
Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 13 19:53:57 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
Jul 13 19:53:57 localhost.localdomain systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Jul 13 19:53:57 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
接下来我做:
sudo cat /var/log/audit/audit.log | audit2allow
并查看:
#============= httpd_t ==============
allow httpd_t soundd_port_t:tcp_socket name_bind;
导入该模块后,nginx就可以启动了。
如果运行以下命令,您将看到端口 8000/tcp 在 SELinux 中定义为soundd_port_t:
#semanage端口-l | grep 听起来 soundd_port_t TCP 8000、9433、16001
这并不意味着 nginx 与 soundd 有任何关系,只是它试图绑定到 tcp 端口 8000。我建议您使用为 nginx/proxy 使用预留的端口范围,http_cache_port_t:
#semanage端口-l | grep http_cache_port_t http_cache_port_t TCP 8080、8118、8123、10001-10010
如果您侦听端口 8080 而不是 8000,则无需重建 SELinux 策略。
| 归档时间: |
|
| 查看次数: |
1479 次 |
| 最近记录: |