好奇什么是守护进程。 维基在http://wiki.centos.org/TipsAndTricks/SelinuxBooleans说这是“soundd守护进程”,但我没有find更多的互联网信息。
要获得nginx(configuration为在unix套接字上绑定)以systemctl开头我需要在httpd_t上添加一个types强制规则到soundd_port_t:tcp_socket。 进一步来说:
sudo systemctl status nginx.service 消息失败:
nginx.service - The nginx HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled) Active: failed (Result: exit-code) since Mon 2015-07-13 19:53:57 EDT; 7s ago Process: 2699 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE) Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: [emerg] bind() to 0.0.0.0:8000 failed (13: Permissi...ied) Jul 13 19:53:57 localhost.localdomain nginx[2699]: nginx: configuration file /etc/nginx/nginx.conf test failed Jul 13 19:53:57 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1 Jul 13 19:53:57 localhost.localdomain systemd[1]: Failed to start The nginx HTTP and reverse proxy server. Jul 13 19:53:57 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
接下来我做:
sudo cat /var/log/audit/audit.log | audit2allow
并看到:
#============= httpd_t ============== allow httpd_t soundd_port_t:tcp_socket name_bind;
导入这个模块后,nginx能够启动。
如果您运行以下命令,您将看到端口8000 / tcp在SELinux中定义为soundd_port_t :
#semanage port -l | grep soundd soundd_port_t tcp 8000,9433,16001
这并不意味着nginx与soundd有什么关系,只是它试图绑定到tcp端口8000.我build议你使用nginx / proxy使用的端口范围http_cache_port_t :
#semanage port -l | grep http_cache_port_t http_cache_port_t tcp 8080,8118,8123,10001-10010
如果您在端口8080而不是8000上进行监听,则不必重新构buildSELinux策略。