服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 我有什么修改让SELinux允许nginx充当IMAP / POP3代理?
Intereting Posts
联想ThinkStation P310无头AMT / KVM 与auth.log有关的问题 查找在时间范围内创build的文件linux find命令 有没有可能使用类似于mod_proxy的ProxyPass mod_cluster + JBoss + domain.xml的function? 无法让Nginx开始与Ubuntu启动 Postfix远程连接超时,在本地正常工作 使用Windows 7和iPad设置虚拟化环境 无法访问Cassandra远程节点 Windows机器上是否有.history文件? nginx可以作为不接受明文login的后端服务器的邮件代理吗? Kubernetes集群的优雅closures 通过useradd命令创build用户后,无法通过IMAPlogin 如何检查两个文件是否在相同的主机上完全相同? 安装Sql的实例 – SQL server 2008 R2 任何postfix大师能帮助我确定电子邮件是否仍然通过我的服务器从未经授权的来源发送?

我有什么修改让SELinux允许nginx充当IMAP / POP3代理?

默认情况下,如果用作IMAP / POP代理,CentOS 7下的nginx将无法启动。 这是因为SELinux。

如何改变SELinux的configuration,而不禁用它的保护,让nginx按照需要行事?

audit.log 

type=AVC msg=audit(1429125129.833:2286): avc: denied { name_bind } for pid=26451 comm="nginx" src=143 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket

nginx.conf 

 mail { auth_http unix:/run/nginx-mailauth.sock; ssl_prefer_server_ciphers on; ssl_session_cache shared:mail-TLSSL:16m; ssl_session_timeout 10m; ssl_session_tickets on; ssl_certificate /etc/pki/tls/certs/mail.example.com.cer; ssl_certificate_key /etc/pki/tls/private/mail.example.com.key; ssl_session_ticket_key /etc/pki/tls/private/mail.example.com-session_ticket.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #For antimony-webmail imap_capabilities "IMAP4rev1" "ACL" "BINARY" "CATENATE" "CHILDREN" "CONDSTORE" "ENABLE" "ESEARCH" "ID" "IDLE" "LIST-EXTENDED" "LITERAL+" "MULTIAPPEND" "NAMESPACE" server { protocol imap; listen 143; starttls only; } server { protocol imap; listen 993; ssl on; } #For antimony-webmail pop3_capabilities "EXPIRE 31 USER" "TOP" "UIDL" "USER" "XOIP"; server { protocol pop3; listen 110; starttls only; pop3_auth plain; } server { protocol pop3; listen 995; ssl on; pop3_auth plain; } }

systemctl 

 [root@mail ~]# systemctl start nginx Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details. [root@mail ~]# systemctl status nginx.service nginx.service - The nginx HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled) Active: failed (Result: exit-code) since Wed 2015-04-15 12:12:09 PDT; 5s ago Process: 26446 ExecStop=/bin/kill -s QUIT $MAINPID (code=exited, status=0/SUCCESS) Process: 25373 ExecReload=/bin/kill -s HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 26400 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS) Process: 26451 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE) Main PID: 26402 (code=exited, status=0/SUCCESS) Apr 15 12:12:09 mail.dev.example.com nginx[26451]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok Apr 15 12:12:09 mail.dev.example.com nginx[26451]: nginx: [emerg] bind() to 0.0.0.0:143 failed (13: Permission denied) Apr 15 12:12:09 mail.dev.example.com nginx[26451]: nginx: configuration file /etc/nginx/nginx.conf test failed Apr 15 12:12:09 mail.dev.example.com systemd[1]: nginx.service: control process exited, code=exited status=1 Apr 15 12:12:09 mail.dev.example.com systemd[1]: Failed to start The nginx HTTP and reverse proxy server. Apr 15 12:12:09 mail.dev.example.com systemd[1]: Unit nginx.service entered failed state.

Nginx正在停止绑定到SELinux pop_port_t端口。

有可能将所需的端口更改为nginx可以绑定的types,例如http_port_t

 # for port in {143,993,110,995} ; do semanage port -m -t http_port_t -p tcp $port ; done && semanage port -l -C SELinux Port Type Proto Port Number http_port_t tcp 143, 993, 110, 995