默认情况下,如果用作IMAP / POP代理,CentOS 7下的nginx将无法启动.这是因为SELinux.
如何在不禁用其保护的情况下更改SELinux的配置,以允许nginx按需运行?
audit.log
type=AVC msg=audit(1429125129.833:2286): avc: denied { name_bind } for pid=26451 comm="nginx" src=143 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
nginx.conf
mail {
auth_http unix:/run/nginx-mailauth.sock;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:mail-TLSSL:16m;
ssl_session_timeout 10m;
ssl_session_tickets on;
ssl_certificate /etc/pki/tls/certs/mail.example.com.cer;
ssl_certificate_key /etc/pki/tls/private/mail.example.com.key;
ssl_session_ticket_key /etc/pki/tls/private/mail.example.com-session_ticket.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#For antimony-webmail
imap_capabilities "IMAP4rev1" "ACL" "BINARY" "CATENATE" "CHILDREN" "CONDSTORE" "ENABLE" "ESEARCH" "ID" "IDLE" "LIST-EXTENDED" "LITERAL+" "MULTIAPPEND" "NAMESPACE"
server {
protocol imap;
listen 143;
starttls only;
}
server {
protocol imap;
listen 993;
ssl on;
}
#For antimony-webmail
pop3_capabilities "EXPIRE 31 USER" "TOP" "UIDL" "USER" "XOIP";
server {
protocol pop3;
listen 110;
starttls only;
pop3_auth plain;
}
server {
protocol pop3;
listen 995;
ssl on;
pop3_auth plain;
}
}
systemctl
[root@mail ~]# systemctl start nginx
Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
[root@mail ~]# systemctl status nginx.service
nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled)
Active: failed (Result: exit-code) since Wed 2015-04-15 12:12:09 PDT; 5s ago
Process: 26446 ExecStop=/bin/kill -s QUIT $MAINPID (code=exited,status=0/SUCCESS)
Process: 25373 ExecReload=/bin/kill -s HUP $MAINPID (code=exited,status=0/SUCCESS)
Process: 26400 ExecStart=/usr/sbin/nginx (code=exited,status=0/SUCCESS)
Process: 26451 ExecStartPre=/usr/sbin/nginx -t (code=exited,status=1/FAILURE)
Main PID: 26402 (code=exited,status=0/SUCCESS)
Apr 15 12:12:09 mail.dev.example.com nginx[26451]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Apr 15 12:12:09 mail.dev.example.com nginx[26451]: nginx: [emerg] bind() to 0.0.0.0:143 failed (13: Permission denied)
Apr 15 12:12:09 mail.dev.example.com nginx[26451]: nginx: configuration file /etc/nginx/nginx.conf test failed
Apr 15 12:12:09 mail.dev.example.com systemd[1]: nginx.service: control process exited,code=exited status=1
Apr 15 12:12:09 mail.dev.example.com systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Apr 15 12:12:09 mail.dev.example.com systemd[1]: Unit nginx.service entered failed state.
Nginx正在停止绑定到SELinux pop_port_t端口.
可能的是将所需的端口改变为nginx可以绑定的类型,例如,http_port_t.
# for port in {143,993,110,995} ; do semanage port -m -t http_port_t -p tcp $port ; done && semanage port -l -C
SELinux Port Type Proto Port Number
http_port_t tcp 143,995
