In Fedora Core 5/6 and RHEL 5. We have made it easier to customize certain common parts of SELinux. In previous releases of SELinux if you wanted to change simple things like which port a daemon could listen to, you would need to write policy. Now we have the semanage utility.
SELinux assigns types to all network ports on a system. By default all ports are less then 1024 are labeled reserved_port_t and all ports > 1024 are labeled port_t. If a port is assigned to a particular type
say the http port 80, it has an assigned type of http_port_t. If you want to look at all the assigned ports in SELinux, you can use the semanage tool, semanage port -l.
So if you executed
semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
Here we see http_port_t is assigned to ports 80, 443, 488, 8008, 8009, 8443
The policy is written to allow httpd_t http_port_t:tcp_socket name_bind;
This means the apache command can "bind" to an port that is labeled http_port_t.
So lets say you want to run httpd on port 81.
So you edit /etc/httpd/http.conf
and change this line
Listen 80
to
Listen 81
Now restart the daemon.
service httpd restart
Stopping httpd: [ OK ]
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:81
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:81
no listening sockets available, shutting down
Unable to open logs
[FAILED]
Now the daemon fails to start because it can not bind to port 81.
This generates an AVC that looks like
----
time->Tue Dec 12 17:37:49 2006
type=SYSCALL msg=audit(1165963069.248:852): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf96a830 a2=b5b1e8 a3=9e58b68 items=0 ppid=21133 pid=21134 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts10 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1165963069.248:852): avc: denied { name_bind } for pid=21134 comm="httpd" src=81 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
To fix this you can use semanage to add the port
semanage port -a -t http_port_t -p tcp 81
service httpd start
Starting httpd: [ OK ]
BTW setroubleshoot reported
Dec 12 17:37:51 localhost setroubleshoot: SELinux is preventing the /usr/sbin/httpd (httpd_t) from binding to port 81. For complete SELinux messages. run sealert -l a666076c-b050-4bed-ba88-38bc37681214
And running
sealert -H -l a666076c-b050-4bed-ba88-38bc37681214
分享到:
相关推荐
Mar 21 21:25:02 VM_0_9_centos httpd: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:80 Mar 21 21:25:02 VM_0_9_centos httpd: (98)Address already in use: AH00072: make_...
《Apache HTTPD服务器详解》 Apache HTTPD是全球最广泛使用的Web服务器软件,它基于开源社区的开发,为互联网提供高效、稳定、可扩展的网页服务。标题中的"httpd_httpd//kmdl1p....
启动 httpd:(13)Permission denied: httpd: could not open error log file /home/wwwroot/jb51.net/logs/error_log. Unable to open logs [失败] 三、问题原因 因为新安装的系统,所以SELinux默认是开启状态,...
重启apache:service httpd restart虽然重启成功,但却给出如下的提示信息:httpd: apr_sockaddr_info_get() failed for hoteelhttpd: Could not reliably determine the server’s fully qualified domain name, ...
simple httpd server hello world
《Linux CGI HTTPD:mini_httpd的探索与应用》 在信息技术日新月异的今天,小型、轻量级的HTTP服务器在各种应用场景中扮演着重要角色,尤其在嵌入式设备、个人服务器或者测试环境中。mini_httpd就是这样一个专为...
web开发环境安装脚本:httpd-mysql、PHP_web_development_denvironment
### Apache No space left on device: mod_rewrite: could not create rewrite_log_lock Configuration Failed 在使用Apache Web服务器时,可能会遇到一个常见的错误:“No space left on device: mod_rewrite: ...
/* Tell the user that we could not find a usable */ /* WinSock DLL. */ return 1; } /* Confirm that the WinSock DLL supports 2.2.*/ /* Note that if the DLL supports versions greater */ /* ...
张中庆_Apache源代码全景分析_第1卷 (高清pdf,因为原文件太大,所以分成几个文件上传)
echo -n "Starting httpd service: " daemon /usr/local/apache2/bin/apachectl start RETVAL=$? echo } stop() { echo -n "Shutting down httpd service: " daemon /usr/local/apache2/bin/apachectl stop ...
用户需先将"mini_httpd.c"源文件进行编译,生成可执行程序,然后通过系统服务管理工具(如systemd或init.d)设置启动脚本,使服务器能在系统启动时自动运行。 然而,仅提供静态网页服务的HTTP服务器无法满足动态...
本文将深入探讨标题"HTTPD Client_Server_http client server_ht"所代表的主题,以及描述中提到的经典Server/Client架构。 首先,我们要理解的是HTTP(超文本传输协议)。HTTP是互联网上应用最为广泛的一种网络协议...
本文将深入探讨`mod_jk`模块以及其在`tomcat-connectors-1.2.40-windows-x86_64-httpd-2.4.x.zip`压缩包中的应用。 `mod_jk`是Apache HTTP Server的一个模块,主要任务是通过AJP(Apache JServ Protocol)协议将...
:small_blue_diamond: 配置Docker :small_blue_diamond: 启动并启用Docker服务 :small_blue_diamond: 从Docker Hub提取httpd服务器映像 :small_blue_diamond: 运行Docker容器并将其公开 :small_blue_diamond: 复制/...
离线安装包,亲测可用
本文将详细讲解如何在Linux环境下安装httpd,以及安装过程中所需的依赖包apr和apr-util。 首先,我们需要了解的是,apr(Apache Portable Runtime)是Apache软件基金会的一个项目,它提供了一个跨平台的库,包含了...