php-fpm error unable to bind listening socket for

2015/08/26 15:44
阅读数 1.2K

0 down vote

SELinux can be configured to stop programs from opening ports, even ports above 1024. This can be a useful protection against malware.

If SELinux is enabled (which you can check by running getenforce - if the respons is Enforced, that means that SELinux is active), there are two ways of fixing the problem.

First, the easy way. This one is to simply disable SELinux. The downside is that your server is now far more vulnerable to compromise/hacking/attacks. If you do choose to make your server less secure, you can run the command setenforce 0. You will also need to change the configuration to stop it from being reactivated after restart; this is done by editing the file /etc/selinux/config and changing the line




Second, the secure way . This is to change your selinux configuration to allow this port to be opened. Since SELinux is a very complicated thing - as it must be, to do what it does - it takes a bit of work. There is one shortcut, though, which is to let SELinux itself figure out what new permissions it needs to allow.

In order to do this, you start by setting SELinux to permissive instead of disabled. This means that SELinux won't be enforcing its rules, but it will log the information about everything that it would have stopped if it had been enforcing them. Once you've had your application running, you can pass the contents of the log to audit2allow which will help you create the rules you need:

grep php-fpm /var/log/audit/audit.log | audit2allow -m phpfpm > phpfpmlocal.tmp

You should look in the file phpfpmlocal.tmp to verify that the permissions look OK. Once you've done so, and made any edits that seem reasonable to you, re-run audit2allow again to build the module, and semodule to load it

grep php-fpm /var/log/audit/audit.log | audit2allow -M phpfpmlocal

semodule -i phpfmlocal.pp 

Once the new module is loaded, you can turn enforcement back on.

0 收藏
0 评论
0 收藏