Menu

在开启selinux的情况下,如何修改httpd的端口且服务能正常使用

2016 年 10 月 18 日 - 网络技术

 

本次测试将原有httpd的port 80 修改为801

[root@localhost ~]# systemctl restart httpd
Job for httpd.service failed. See ‘systemctl status httpd.service’ and ‘journalctl -xn’ for details.
[root@localhost ~]# systemctl stop httpd
[root@localhost ~]# systemctl start httpd
Job for httpd.service failed. See ‘systemctl status httpd.service’ and ‘journalctl -xn’ for details.
[root@localhost ~]# !v
vim /etc/httpd/conf/httpd.conf

#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 801  修改为801 违返selinux

[root@localhost ~]# semanage port -l |grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000  没有801所以不能接管httpd
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

[root@localhost ~]#systemctl status -l httpd

10月 19 14:46:02 localhost.localdomain httpd[1452]: AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using localhost.localdomain. Set the ‘ServerName’ directive globally to suppress this message
10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:801
10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:801

[root@localhost ~]# journalctl -xn

*****  Plugin catchall (1.49 confidence) suggests

10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:801
10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:801   //不允许801调用本地sock

If you believe that httpd should be allowed name_bin
Then you should report this as a bug.
You can generate a local policy module to allow this
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow
# semodule -i mypol.pp    *********//selinux报错
解决方案

semanage port -a -t http_port_t -p tcp 801  将801加入selinux

http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      801, 80, 81, 443, 488, 8008, 8009, 8443, 9000   ///801已加入

[root@localhost ~]# systemctl status httpd.service
httpd.service – The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since 二 2016-10-18 18:18:25 CST; 6min ago      //启动正常
Process: 49005 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 49231 (httpd)
Status: “Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec”
CGroup: /system.slice/httpd.service

[root@localhost ~]# netstat -ntlp |grep http
tcp6       0      0 :::801                  :::*                    LISTEN      49231/httpd

本地测试
[root@localhost ~]# curl http://localhost:801
test1
t2
艇3
dfdfdfdf

外部测试完成

扩展
senamage 端口 增加 类型 [] 协议 TCP/UDP 端口
semanage port -a -t http_port_t -p tcp 801
senamage 端口 修改 类型 [] 协议 TCP/UDP 端口
semanage port -m -t http_port_t -p tcp 801
senamage 端口 删除 类型 [] 协议 TCP/UDP 端口
semanage port -d -t http_port_t -p tcp 801

image