Open Stack

Hi,

You can handle this one of two ways.

1)
semanage port -m -t <the new label you choose> -p tcp 5000

Which will relabel port 5000 as whatever you choose.

2)
Or you could allow <the label you choose> to bind to commplex_main_port_t

allow <your label> commplex_main_port_t:tcp_socket name_bind;

This will allow <your label> to connect to any port labeled commplex_main_port_t. 

Sincerely,
Ryan

----- Original Message -----
From: "Ray Chen" <chenrano2002 at gmail.com>
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
Sent: Thursday, July 17, 2014 10:57:41 AM
Subject: Re: [openstack-dev] [devstack][keystone] (98)Address already in use: make_sock: could not bind to address [::]:5000 & 0.0.0.0:5000

try to disable the selinux module. I can setup devstack env on my fedora machine with selinux disabled 

on my fedora machine, selinux is disable, and port 5000 look likes are still used by selinux, 
[ray at fedora devstack]$ sudo semanage port -l|grep 5000 
cluster_port_t tcp 5149, 40040, 50006-50008 
cluster_port_t udp 5149, 50006-50008 
commplex_main_port_t tcp 5000 
commplex_main_port_t udp 5000 

[ray at fedora devstack]$ netstat -anp | grep 5000 

tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 6171/python 
[ray at fedora devstack]$ ps -ef | grep python 
ray 6171 5695 0 21:34 pts/3 00:00:07 python /opt/stack/keystone/bin/keystone-all --config-file /etc/keystone/keystone.conf --debug 




On Thu, Jul 17, 2014 at 10:23 PM, Rich Megginson < rmeggins at redhat.com > wrote: 



On 07/16/2014 10:40 PM, Joe Jiang wrote: 



Hi all, 
Thanks for your responds. 

I try to running # sudo semanage port -l|grep 5000 in my envrionment and get same infomation. 
>> ... 
>> commplex_main_port_t tcp 5000 
>> commplex_main_port_t udp 5000 
then, I wanna remove this port(5000) from SELinux policy rules list use this command(semanage port -d -p tcp -t commplex_port_t 5000), 
the console echo is "/usr/sbin/semanage: Port tcp/5000 is defined in policy, cannot be deleted" , and 'udp/5000' is same reply. 
Some sounds[1] say, this port is declared in the corenetwork source policy which is compiled in the base module. 
So, Have to recompile selinux module? 

I think that's the only way to do it if you want to relabel port 5000. 








Thanks. 
Joe. 

[1] 
http://www.redhat.com/archives/fedora-selinux-list/2009-September/msg00056.html 




>> Another problem with port 5000 in Fedora, and probably more recent
>> versions of RHEL, is the selinux policy:
>>  
>> # sudo semanage port -l|grep 5000
>> ...
>> commplex_main_port_t tcp 5000
>> commplex_main_port_t udp 5000
>>  
>> There is some service called "commplex" that has already "claimed" port
>> 5000 for its use, at least as far as selinux goes. 




_______________________________________________ 
OpenStack-dev mailing list 
OpenStack-dev at lists.openstack.org 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev 



_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev