permission denied make_sock could not bind to address 81问题解决

 

在给系统的Httpd做squid反向代理，修改了apache默认的端口80为81结果出现了上面的问题，看了下日志发现又是selinux的问题；

解决这个问题很简单，可以执行setsebool -p httpd_disable_trans 1 这个必须有个前提那就是SELinux 类型必须是targeted的：cat /etc/selinux/config|grep SELINUXTYPE;

当然还可以直接把selinux禁用掉，这样不免简单粗暴；直接修改/etc/selinux/config找到SELINUX=enforcing 修改为SELINUX=disable然后reboot就可以了；当然也可以执行命令setenforce 0这样就可以不重启了；

 

下面这个是转载的：

I want my apache daemon to listen on a different port but SELinux is preventing it, What do I do?
In Fedora Core 5/6 and RHEL 5. We have made it easier to customize certain common parts of SELinux. In previous releases of SELinux if you wanted to change simple things like which port a daemon could listen to, you would need to write policy. Now we have the semanage utility.

SELinux assigns types to all network ports on a system. By default all ports are less then 1024 are labeled reserved_port_t and all ports > 1024 are labeled port_t. If a port is assigned to a particular type
say the http port 80, it has an assigned type of http_port_t. If you want to look at all the assigned ports in SELinux, you can use the semanage tool, semanage port -l.

So if you executed

semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Here we see http_port_t is assigned to ports 80, 443, 488, 8008, 8009, 8443

The policy is written to allow httpd_t http_port_t:tcp_socket name_bind;

This means the apache command can "bind" to an port that is labeled http_port_t.

So lets say you want to run httpd on port 81.

So you edit /etc/httpd/http.conf

and change this line
Listen 80
to
Listen 81


Now restart the daemon.
service httpd restart
Stopping httpd: [ OK ]
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:81
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:81
no listening sockets available, shutting down
Unable to open logs
[FAILED]

Now the daemon fails to start because it can not bind to port 81.

This generates an AVC that looks like

----
time->Tue Dec 12 17:37:49 2006
type=SYSCALL msg=audit(1165963069.248:852): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf96a830 a2=b5b1e8 a3=9e58b68 items=0 ppid=21133 pid=21134 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts10 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1165963069.248:852): avc: denied { name_bind } for pid=21134 comm="httpd" src=81 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

To fix this you can use semanage to add the port

semanage port -a -t http_port_t -p tcp 81

service httpd start
Starting httpd: [ OK ]

(13)Permission denied: make_sock: could not bind to address [::]:81
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:81

查一下SELinux下http相关端口 semanage port -l|grep http，结果：
http_cache_port_t tcp 3128, 8080, 8118, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

直接用man semanage最后例子中的一句
# Allow Apache to listen on port 81
semanage port -a -t http_port_t -p tcp 81
然后再apachectl start，OK。使用域名:81能够访问啦。

注：semanage
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. This includes the mapping from Linux usernames to SELinux user identities (which controls the initial security context assigned to Linux users when they login and bounds their authorized role set) as well as security context mappings for various kinds of objects, such as network ports, interfaces, and nodes(hosts) as well as the file context mapping. See the EXAMPLES section below for some examples of common usage. Note that the semanage login command deals with the mapping from Linux usernames (logins) to SELinux user identities, while the semanage user command deals with the mapping from SELinux user identities to authorized role sets. In most cases, only the former mapping needs to be adjusted by the administrator; the latter is principally defined by the base policy and usually does not require modification.