![什么是 soundd 守护进程,以及为什么 nginx 在 SELinux 下需要该类型?](https://linux22.com/image/662362/%E4%BB%80%E4%B9%88%E6%98%AF%20soundd%20%E5%AE%88%E6%8A%A4%E8%BF%9B%E7%A8%8B%EF%BC%8C%E4%BB%A5%E5%8F%8A%E4%B8%BA%E4%BB%80%E4%B9%88%20nginx%20%E5%9C%A8%20SELinux%20%E4%B8%8B%E9%9C%80%E8%A6%81%E8%AF%A5%E7%B1%BB%E5%9E%8B%EF%BC%9F.png)
好奇 soundd 守护进程是什么。维基百科位于http://wiki.centos.org/TipsAndTricks/SelinuxBooleans 说它是“soundd 守护进程”,但我在互联网上没有找到太多其他信息。
要让 nginx(配置为绑定到 unix 套接字)以 systemctl 启动,我需要在 httpd_t 上将类型强制规则添加到 soundd_port_t:tcp_socket。更具体地说:
sudo systemctl status nginx.service
失败并显示以下消息:
nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled)
Active: failed (Result: exit-code) since Mon 2015-07-13 19:53:57 EDT; 7s ago
Process: 2699 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: [emerg] bind() to 0.0.0.0:8000 failed (13: Permissi...ied)
Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 13 19:53:57 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
Jul 13 19:53:57 localhost.localdomain systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Jul 13 19:53:57 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
接下来我要做的是:
sudo cat /var/log/audit/audit.log | audit2allow
并看到:
#============= httpd_t ==============
allow httpd_t soundd_port_t:tcp_socket name_bind;
导入该模块之后,nginx就可以启动了。
答案1
如果你运行以下命令,你会看到端口 8000/tcp 在 SELinux 中定义为soundd_port_t
:
# semanage port -l | grep soundd soundd_port_t tcp 8000, 9433, 16001
这并不意味着 nginx 与 soundd 有任何关系,只是它试图绑定到 tcp 端口 8000。我建议您使用为 nginx/proxy 用途预留的端口范围http_cache_port_t
:
# semanage 端口 -l | grep http_cache_port_t http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
如果您监听端口 8080 而不是 8000,则无需重建 SELinux 策略。
答案2
经过几个小时的搜索文章对 CentOS 用户有用
我遵循了整篇文章但我认为解决问题的方法是以下命令:
yum install -y policycoreutils-{python,devel}
ausearch -m avc -se httpd_t | audit2allow -M nginx
semodule -i nginx.pp
usermod -a -G user nginx
chmod g+rx /home/user/
请将用户替换为您的实际用户以授予权限。chmod 命令下的目录也同样适用。