在开启selinux的情况下,如何修改httpd的端口且服务能正常使用

来源:本站原创 网络技术 超过953 views围观 0条评论

 

本次测试将原有httpd的port 80 修改为801

[root@localhost ~]# systemctl restart httpd
Job for httpd.service failed. See ‘systemctl status httpd.service’ and ‘journalctl -xn’ for details.
[root@localhost ~]# systemctl stop httpd
[root@localhost ~]# systemctl start httpd
Job for httpd.service failed. See ‘systemctl status httpd.service’ and ‘journalctl -xn’ for details.
[root@localhost ~]# !v
vim /etc/httpd/conf/httpd.conf

#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 801  修改为801 违返selinux

[root@localhost ~]# semanage port -l |grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000  没有801所以不能接管httpd
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

[root@localhost ~]#systemctl status -l httpd

10月 19 14:46:02 localhost.localdomain httpd[1452]: AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using localhost.localdomain. Set the ‘ServerName’ directive globally to suppress this message
10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:801
10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:801

[root@localhost ~]# journalctl -xn

*****  Plugin catchall (1.49 confidence) suggests

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:801
10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:801   //不允许801调用本地sock

If you believe that httpd should be allowed name_bin
Then you should report this as a bug.
You can generate a local policy module to allow this
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow
# semodule -i mypol.pp    *********//selinux报错
解决方案

semanage port -a -t http_port_t -p tcp 801  将801加入selinux

http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      801, 80, 81, 443, 488, 8008, 8009, 8443, 9000   ///801已加入

[root@localhost ~]# systemctl status httpd.service
httpd.service – The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since 二 2016-10-18 18:18:25 CST; 6min ago      //启动正常
Process: 49005 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 49231 (httpd)
Status: “Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec”
CGroup: /system.slice/httpd.service

[root@localhost ~]# netstat -ntlp |grep http
tcp6       0      0 :::801                  :::*                    LISTEN      49231/httpd

本地测试
[root@localhost ~]# curl http://localhost:801
test1
t2
艇3
dfdfdfdf

外部测试完成

扩展
senamage 端口 增加 类型 [] 协议 TCP/UDP 端口
semanage port -a -t http_port_t -p tcp 801
senamage 端口 修改 类型 [] 协议 TCP/UDP 端口
semanage port -m -t http_port_t -p tcp 801
senamage 端口 删除 类型 [] 协议 TCP/UDP 端口
semanage port -d -t http_port_t -p tcp 801

image

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=3548转载请注明转自CCIE那点事
如果喜欢:点此订阅本站
  • 相关文章
  • 为您推荐
  • 各种观点