好奇 soundd 守护进程是什么。维基百科位于http://wiki.centos.org/TipsAndTricks/SelinuxBooleans 说它是“soundd 守护进程”,但我在互联网上没有找到太多其他信息。
要让 nginx(配置为绑定到 unix 套接字)以 systemctl 启动,我需要在 httpd_t 上将类型强制规则添加到 soundd_port_t:tcp_socket。更具体地说:
sudo systemctl status nginx.service
失败并显示以下消息:
nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled)
Active: failed (Result: exit-code) since Mon 2015-07-13 19:53:57 EDT; 7s ago
Process: 2699 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: [emerg] bind() to 0.0.0.0:8000 failed (13: Permissi...ied)
Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 13 19:53:57 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
Jul 13 19:53:57 localhost.localdomain systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Jul 13 19:53:57 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
接下来我要做的是:
sudo cat /var/log/audit/audit.log | audit2allow
并看到:
#============= httpd_t ==============
allow httpd_t soundd_port_t:tcp_socket name_bind;
导入该模块之后,nginx就可以启动了。
答案1
如果你运行以下命令,你会看到端口 8000/tcp 在 SELinux 中定义为soundd_port_t:
# semanage port -l | grep soundd soundd_port_t tcp 8000, 9433, 16001
这并不意味着 nginx 与 soundd 有任何关系,只是它试图绑定到 tcp 端口 8000。我建议您使用为 nginx/proxy 用途预留的端口范围http_cache_port_t:
# semanage 端口 -l | grep http_cache_port_t http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
如果您监听端口 8080 而不是 8000,则无需重建 SELinux 策略。
答案2
经过几个小时的搜索文章对 CentOS 用户有用
我遵循了整篇文章但我认为解决问题的方法是以下命令:
yum install -y policycoreutils-{python,devel}
ausearch -m avc -se httpd_t | audit2allow -M nginx
semodule -i nginx.pp
usermod -a -G user nginx
chmod g+rx /home/user/
请将用户替换为您的实际用户以授予权限。chmod 命令下的目录也同样适用。