1、報錯提示
[root@Tang ~]# systemctl start haproxy
[root@Tang ~]# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2019-11-07 15:02:48 CST; 1s ago
Process: 2134 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 2134 (code=exited, status=1/FAILURE)
Nov 07 15:02:48 Tang systemd[1]: Started HAProxy Load Balancer.
Nov 07 15:02:48 Tang haproxy-systemd-wrapper[2134]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/hap...id -Ds
Nov 07 15:02:48 Tang haproxy-systemd-wrapper[2134]: [ALERT] 310/150248 (2140) : Starting proxy stats: cannot bind socket [0....:7777]
Nov 07 15:02:48 Tang haproxy-systemd-wrapper[2134]: haproxy-systemd-wrapper: exit, haproxy RC=1
Nov 07 15:02:48 Tang systemd[1]: haproxy.service: main process exited, code=exited, status=1/FAILURE
Nov 07 15:02:48 Tang systemd[1]: Unit haproxy.service entered failed state.
Nov 07 15:02:48 Tang systemd[1]: haproxy.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
2、配置文件及語法檢查
[root@Tang ~]# vim /etc/haproxy/haproxy.cfg
listen stats
bind *:7777
stats enable
stats uri /tang?status
stats realm HAPorxy\ Stats\ Page
stats auth tang:tang
stats admin if TRUE
frontend web
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.141.209:80 weight 1 check
server srv2 172.16.141.209:8080 weight 1 check
[root@Tang ~]# haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid
3、處理辦法
進行 setsebool 設置,設置後,可成功啓動相應端口。
[root@Tang ~]# setsebool -P haproxy_connect_any=1
[root@Tang ~]# systemctl start haproxy
[root@Tang ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:7777 *:*
LISTEN 0 25 *:514 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 25 :::514 :::*
4、setsebool 設置 Policy 的布爾值相關示例
setsebool 命令是用來修改 SElinux 策略內各項規則的布爾值。setsebool 命令和 getsebool 命令是 SELinux 修改和查詢布爾值的一套工具組。SELinux 的策略與規則管理相關命令:seinfo 命令、sesearch 命令、getsebool 命令、setsebool 命令、semanage 命令。下面讓我們詳細講解一下 setsebool 命令的使用方法。
### setsebool設置Policy的布爾值,以啓用或停用某項Policy ###
## setsebool -P allow_ftpd_anon_write=1 # 允許ftpd匿名用戶可寫
## setsebool -P ftp_home_dir 1 # 允許用戶訪問自己的根目錄
## setsebool -P ftpd_is_daemon 1 # 允許daemon運行ftpd
## setsebool -P ftpd_disable_trans 1 # 關閉SELINUX對ftpd的保護
## setsebool -P allow_httpd_anon_write=1 # 允許httpd匿名用戶可寫
## setsebool -P allow_httpd_sys__anon_write=1 # 同上
## setsebool -P httpd_enable_cgi 1 # httpd被設置允許cgi被執行
## setsebool -P httpd_enable_homedirs 1 # 允許訪問用戶的根目錄
## setsebool -P httpd_tty_comm 1 # 允許httpd控制終端
## setsebool -P httpd_unified 0 # httpd之間相互獨立
## setsebool -P httpd_builtin_ing 0 # 同httpd環境一樣運行
## setsebool -P httpd_can_network_connect 1 # httpd可以連接到網絡
## setsebool -P httpd_suexec_disable_trans 1 # 禁用suexec過度
## setsebool -P httpd_disable_trans 1 # 允許daemon用戶啓動httpd
## setsebool -P named_write_master_zones 1 # 允許修改dns的主zone文件
## setsebool -P named_disable_trans 1 # 允許daemon啓動named
## setsebool -P nfs_export_all_ro 1 # nfs只讀
## setsebool -P nfs_export_all_rw 1 # nfs可讀寫
## setsebool -P use_nfs_home_dirs 1 # 允許本機訪問遠程nfs的根目錄
## setsebool -P allow_smbd_anon_write=1 # samba允許匿名用戶可寫
## setsebool -P samba_enable_home_dirs 1 # 允許根目錄訪問
## setsebool -P use_samba_home_dirs 1 # 允許本機訪問遠程samba根目錄
## setsebool -P smbd_disable_trans 1 # 允許daemon啓動samba
## setsebool -P allow_rsync_anon_write=1 # 允許匿名用戶可寫
## setsebool -P rsync_disable_trans 1 # 允許daemon啓動rsync