[Tutor] Apache cgi Python Sockets classic Linux permissions and SELinux under Fedora19

Stewart Lawton jstewartlawton at yahoo.co.uk
Mon May 18 13:54:56 CEST 2015 

Hi

Thanks to recent help from Alan Gauld and Felix Dietrich I have studied the 'classic Linux ' permissions
to allow an Apache cgi script to connect to a Python Socket.
Though I became convinced that the corrected  permissions were correct the Python cgi script still would not work when 

called from apache even though all was OK when the cgi script was executed directly by a user.
I have found that SELinux provides further access constraints. The Fedora SELinux graphic tool and associated 'trouble shooter' parser of the SELinux audit file made suggestions that worked for TCPIP Sockets but failed for Unix Sockets.
(I only experimented with Unix Sockets since I could not get TCPIP Sockets to work).

Below is the textual response from the trouble shooter for TCPIP and Unix Socket connect failures .
I found that assigning PORT_TYPE to dns_port_t worked for TCPIP sockets.


SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket .

If you want to allow /usr/bin/python2.7 to connect to network port 1080
you need to modify the port type.
# semanage port -a -t PORT_TYPE -p tcp 1080
where PORT_TYPE is one of the following: dns_port_t, kerberos_port_t, ocsp_port_t.

SELinux is preventing /usr/bin/python2.7 from write access on the sock_file /test/uds_socket.

Plugin: catchall_labels 
you want to allow python2.7 to have write access on the uds_socket sock_fileIf you want to allow python2.7 to have write access on the uds_socket sock_file
You need to change the label on /test/uds_socket
# semanage fcontext -a -t FILE_TYPE '/test/uds_socket'
where FILE_TYPE is one of the following: avahi_var_run_t, httpd_sys_rw_content_t, httpd_tmp_t, lsassd_var_socket_t, mysqld_db_t, mysqld_var_run_t, nscd_var_run_t, nslcd_var_run_t, pcscd_var_run_t, postgresql_tmp_t, postgresql_var_run_t, setrans_var_run_t, sssd_var_lib_t, winbind_var_run_t. 
Then execute: 
restorecon -v '/test/uds_socket'

I hope this will be helpful to others wishing to use apache to connect to python sockets via cgi scripts.

More information about the Tutor mailing list