SELinux导致的ssh服务无法绑定端口的问题

2019年6月19日21:43:13Linux评论553字数 378阅读1分15秒阅读模式

修改ssh端口后使用systemctl一直无法启动sshd，报错：

Job for sshd.service invalid.

1	Job for sshd.service invalid.

使用journalctl -xe查看错误信息，发现一串没有权限绑定端口错误信息：

-- Unit sshd.service has begun starting up.
Jun 04 18:58:11 instance-1 sshd[20960]: error: Bind to port 22345 on 0.0.0.0 failed: Permission denied.
Jun 04 18:58:11 instance-1 sshd[20960]: error: Bind to port 22345 on :: failed: Permission denied.
Jun 04 18:58:11 instance-1 sshd[20960]: fatal: Cannot bind any address.
Jun 04 18:58:11 instance-1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Jun 04 18:58:11 instance-1 systemd[1]: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd.service has failed

-- Unit sshd.service has begun starting up.

Jun 04 18:58:11 instance-1 sshd[20960]: error: Bind to port 22345 on 0.0.0.0 failed: Permission denied.

Jun 04 18:58:11 instance-1 sshd[20960]: error: Bind to port 22345 on :: failed: Permission denied.

Jun 04 18:58:11 instance-1 sshd[20960]: fatal: Cannot bind any address.

Jun 04 18:58:11 instance-1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a

Jun 04 18:58:11 instance-1 systemd[1]: Failed to start OpenSSH server daemon.

-- Subject: Unit sshd.service has failed

很奇怪，服务是使用root身份启动的，端口号也不在1-1024之间，不可能出现端口号无法绑定的问题。

开始怀疑是不是端口号被占用了，但是用netstat命令查看并没有占用，而且如果被占用报错也应该是xx already been used，因此排除端口被占用了。

后来发现是开启了SELinux导致的，使用sestatus查看SELinux当前的状态：

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31