linux修改http端口80,在开启selinux的情况下,如何修改httpd的端口且服务能正常使用...

本次测试将原有httpd的port 80 修改为801

[root@localhost ~]# systemctl restart httpd

Job for httpd.service failed. See ‘systemctl status httpd.service’ and ‘journalctl -xn’ for details.

[root@localhost ~]# systemctl stop httpd

[root@localhost ~]# systemctl start httpd

Job for httpd.service failed. See ‘systemctl status httpd.service’ and ‘journalctl -xn’ for details.

[root@localhost ~]# !v

vim /etc/httpd/conf/httpd.conf

#

# Change this to Listen on specific IP addresses as shown below to

# prevent Apache from glomming onto all bound IP addresses.

#

#Listen 12.34.56.78:80

Listen 801  修改为801 违返selinux

[root@localhost ~]# semanage port -l |grep http

http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010

http_cache_port_t              udp      3130

http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000  没有801所以不能接管httpd

pegasus_http_port_t            tcp      5988

pegasus_https_port_t           tcp      5989

[root@localhost ~]#systemctl status -l httpd

10月 19 14:46:02 localhost.localdomain httpd[1452]: AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using localhost.localdomain. Set the ‘ServerName’ directive globally to suppress this message

10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:801

10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:801

[root@localhost ~]# journalctl -xn

*****  Plugin catchall (1.49 confidence) suggests

10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:801

10月 19 14:46:02 localhost.localdomain httpd[1452]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:801   //不允许801调用本地sock

If you believe that httpd should be allowed name_bin

Then you should report this as a bug.

You can generate a local policy module to allow this

Do

allow this access for now by executing:

# grep httpd /var/log/audit/audit.log | audit2allow

# semodule -i mypol.pp    *********//selinux报错

解决方案

semanage port -a -t http_port_t -p tcp 801  将801加入selinux

http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010

http_cache_port_t              udp      3130

http_port_t                    tcp      801, 80, 81, 443, 488, 8008, 8009, 8443, 9000   ///801已加入

[root@localhost ~]# systemctl status httpd.service

httpd.service – The Apache HTTP Server

Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)

Active: active (running) since 二 2016-10-18 18:18:25 CST; 6min ago      //启动正常

Process: 49005 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)

Main PID: 49231 (httpd)

Status: “Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec”

CGroup: /system.slice/httpd.service

[root@localhost ~]# netstat -ntlp |grep http

tcp6       0      0 :::801                  :::*                    LISTEN      49231/httpd

本地测试

[root@localhost ~]# curl http://localhost:801

test1

t2

艇3

dfdfdfdf

外部测试完成

扩展

senamage 端口 增加 类型 [] 协议 TCP/UDP 端口

semanage port -a -t http_port_t -p tcp 801

senamage 端口 修改 类型 [] 协议 TCP/UDP 端口

semanage port -m -t http_port_t -p tcp 801

senamage 端口 删除 类型 [] 协议 TCP/UDP 端口

semanage port -d -t http_port_t -p tcp 801