Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re^4: LWP running as cgi

by elwoodblues (Novice)
on Sep 22, 2008 at 10:35 UTC ( [id://712986]=note: print w/replies, xml ) Need Help??


in reply to Re^3: LWP running as cgi
in thread LWP running as cgi

I've investigated this problem a bit more, as seeing as two monks had the problem, I'd expect it to be more widespeard as more people upgrade.

Someone can move this to a more appropriate section if required
This problem is definatly related to SELinux
I've installed FC9 as a test on WMware, which by default has SELinux installed. SELinux adds extra labels to every file to see if Apache can access them. So not only do permissions control your access, but also SELinux, which is part of the Kernel.

Running that test program:

#!/bin/bash host=$(/usr/bin/host maps.google.com) cat <<! Content-Type: text/plain system (`ls -l /usr/bin/host`); $host !
If you then look in
cat /var/log/messages<br>
you'll see something like:
Sep 22 10:16:02 localhost setroubleshoot: SELinux is preventing ho +st (httpd_sys_script_t) "create" to <Unknown> (httpd_sys_script_t). F +or complete SELinux ....
Now, the easy solution is to disable SELinux. Tempting. Very tempting. But bad.
To see if SELinux is currently on:
 cat /selinux/enforce
If you get a '1' back, it's on.
If you disable it and run that test program again, you'll see it works now under cgi!
to disable it, log in as root:
echo 0 >/selinux/enforce

access the test cgi program via a web browser, and it should now work.

to reenable it
echo 1 >/selinux/enforce

thanks for spotting the typo Jethro
Do not turn it off for any length of time, as a total relabeling of the system will be required
The above instructions put it into permissve mode, which, it you just do it quickly, shouldn't affect your security too much.


From the doco,

"Detailed Description:
SELinux denied access requested by host. It is not expected that this access is required by host and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access."

SELinux doco also states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism.
I'd say that those modules (LWP, etc) that access DNS would need to put out some sort of permission error if it is denied...


Basically,you can see the extra SELinux labels on files by: ls -Z *
In the case of /usr/bin/host, you get
exe="/usr/bin/host" subj=unconfined_u:system_r:httpd_sys_script_t:s0
it is not owned or accessible to any cgi scripts. For that to happen, they need to have httpd_sys_script_exec_t permissions...or a local exclusion policy.


SELinux is blocking httpd processes from connecting to the net (probably to stop hackers from attacking other machines from httpd)
Because I'm running short of time now, this sledge hammer approach will fix that:
setsebool -P httpd_can_network_connect 1
The better way is to generate a local exclusion policy
audit2allow -a

see http://www.crypt.gen.nz/selinux/faq.html#BSP.3 for more info on doing this... I've spent enough time on it...Life is too short for SELinux
hope this helps.

Replies are listed 'Best First'.
Re^5: LWP running as cgi
by betterworld (Curate) on Sep 22, 2008 at 23:10 UTC
    SELinux is blocking httpd processes from connecting to the net (probably to stop hackers from attacking other machines from httpd)

    There is another reason to keep the webserver from accessing the internet. Sometimes web applications have security holes that allow an attacker to execute a program that is available on the net, like with PHP's remote include "feature". Or the attacker's payload (like a spambot or rootkit) might be too big for a vulnerable web form.

    While it should be preferable to avoid having security holes in web applications; I think it is prudent to make it hard to exploit a vulnerability to take over a system. Therefore I suggest that you think carefully before disabling these security measures.

      Yes, you are correct. Like I said above, the best way is to generate a local exclusion policy to lock it to only allow access to what you explicitly need.
      I was mainly interested in finding out what caused this behaviour. I don't run SELinux, and after reading the doco, doubt I ever will until they make it easier to configure. Yes, it is very secure, but is the added complexity required for most installs? Really depends upon your application, but for my laptop running a development web server...naw.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://712986]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2024-03-28 22:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found