1、报错提示
[root@Tang ~]# systemctl start haproxy
[root@Tang ~]# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2019-11-07 15:02:48 CST; 1s ago
Process: 2134 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 2134 (code=exited, status=1/FAILURE)
Nov 07 15:02:48 Tang systemd[1]: Started HAProxy Load Balancer.
Nov 07 15:02:48 Tang haproxy-systemd-wrapper[2134]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/hap...id -Ds
Nov 07 15:02:48 Tang haproxy-systemd-wrapper[2134]: [ALERT] 310/150248 (2140) : Starting proxy stats: cannot bind socket [0....:7777]
Nov 07 15:02:48 Tang haproxy-systemd-wrapper[2134]: haproxy-systemd-wrapper: exit, haproxy RC=1
Nov 07 15:02:48 Tang systemd[1]: haproxy.service: main process exited, code=exited, status=1/FAILURE
Nov 07 15:02:48 Tang systemd[1]: Unit haproxy.service entered failed state.
Nov 07 15:02:48 Tang systemd[1]: haproxy.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
2、配置文件及语法检查
[root@Tang ~]# vim /etc/haproxy/haproxy.cfg
listen stats
bind *:7777
stats enable
stats uri /tang?status
stats realm HAPorxy\ Stats\ Page
stats auth tang:tang
stats admin if TRUE
frontend web
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.141.209:80 weight 1 check
server srv2 172.16.141.209:8080 weight 1 check
[root@Tang ~]# haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid
3、处理办法
进行 setsebool 设置,设置后,可成功启动相应端口。
[root@Tang ~]# setsebool -P haproxy_connect_any=1
[root@Tang ~]# systemctl start haproxy
[root@Tang ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:7777 *:*
LISTEN 0 25 *:514 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 25 :::514 :::*
4、setsebool 设置 Policy 的布尔值相关示例
setsebool 命令是用来修改 SElinux 策略内各项规则的布尔值。setsebool 命令和 getsebool 命令是 SELinux 修改和查询布尔值的一套工具组。SELinux 的策略与规则管理相关命令:seinfo 命令、sesearch 命令、getsebool 命令、setsebool 命令、semanage 命令。下面让我们详细讲解一下 setsebool 命令的使用方法。
### setsebool设置Policy的布尔值,以启用或停用某项Policy ###
## setsebool -P allow_ftpd_anon_write=1 # 允许ftpd匿名用户可写
## setsebool -P ftp_home_dir 1 # 允许用户访问自己的根目录
## setsebool -P ftpd_is_daemon 1 # 允许daemon运行ftpd
## setsebool -P ftpd_disable_trans 1 # 关闭SELINUX对ftpd的保护
## setsebool -P allow_httpd_anon_write=1 # 允许httpd匿名用户可写
## setsebool -P allow_httpd_sys__anon_write=1 # 同上
## setsebool -P httpd_enable_cgi 1 # httpd被设置允许cgi被执行
## setsebool -P httpd_enable_homedirs 1 # 允许访问用户的根目录
## setsebool -P httpd_tty_comm 1 # 允许httpd控制终端
## setsebool -P httpd_unified 0 # httpd之间相互独立
## setsebool -P httpd_builtin_ing 0 # 同httpd环境一样运行
## setsebool -P httpd_can_network_connect 1 # httpd可以连接到网络
## setsebool -P httpd_suexec_disable_trans 1 # 禁用suexec过度
## setsebool -P httpd_disable_trans 1 # 允许daemon用户启动httpd
## setsebool -P named_write_master_zones 1 # 允许修改dns的主zone文件
## setsebool -P named_disable_trans 1 # 允许daemon启动named
## setsebool -P nfs_export_all_ro 1 # nfs只读
## setsebool -P nfs_export_all_rw 1 # nfs可读写
## setsebool -P use_nfs_home_dirs 1 # 允许本机访问远程nfs的根目录
## setsebool -P allow_smbd_anon_write=1 # samba允许匿名用户可写
## setsebool -P samba_enable_home_dirs 1 # 允许根目录访问
## setsebool -P use_samba_home_dirs 1 # 允许本机访问远程samba根目录
## setsebool -P smbd_disable_trans 1 # 允许daemon启动samba
## setsebool -P allow_rsync_anon_write=1 # 允许匿名用户可写
## setsebool -P rsync_disable_trans 1 # 允许daemon启动rsync
