Come for the quick hacks, stay for the epiphanies. | |
PerlMonks |
Re^4: LWP running as cgiby elwoodblues (Novice) |
on Sep 22, 2008 at 10:35 UTC ( [id://712986]=note: print w/replies, xml ) | Need Help?? |
I've investigated this problem a bit more, as seeing as two monks had the problem, I'd expect it to be more widespeard as more people upgrade.
Someone can move this to a more appropriate section if required Running that test program: If you then look in you'll see something like: Now, the easy solution is to disable SELinux. Tempting. Very tempting. But bad. To see if SELinux is currently on: cat /selinux/enforce If you get a '1' back, it's on. If you disable it and run that test program again, you'll see it works now under cgi! to disable it, log in as root:
access the test cgi program via a web browser, and it should now work. to reenable it
thanks for spotting the typo Jethro Do not turn it off for any length of time, as a total relabeling of the system will be required The above instructions put it into permissve mode, which, it you just do it quickly, shouldn't affect your security too much. From the doco, "Detailed Description: SELinux denied access requested by host. It is not expected that this access is required by host and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access." SELinux doco also states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism. I'd say that those modules (LWP, etc) that access DNS would need to put out some sort of permission error if it is denied... Basically,you can see the extra SELinux labels on files by: ls -Z * In the case of /usr/bin/host, you get it is not owned or accessible to any cgi scripts. For that to happen, they need to have httpd_sys_script_exec_t permissions...or a local exclusion policy. SELinux is blocking httpd processes from connecting to the net (probably to stop hackers from attacking other machines from httpd) Because I'm running short of time now, this sledge hammer approach will fix that: The better way is to generate a local exclusion policy
see http://www.crypt.gen.nz/selinux/faq.html#BSP.3 for more info on doing this... I've spent enough time on it...Life is too short for SELinux hope this helps.
In Section
Seekers of Perl Wisdom
|
|