[SOLVED] SELinux - Preventing script from fetching images via http
Posted: 2019/10/01 19:42:02
Hi,
I've just recently had to move a ton of scripts from an old server to an Azure cloud VM. I was pleased that I managed to get pretty much everything working and set up with SELinux without too many difficulties, but I've discovered one problematic Perl script.
The script is used in various websites to fetch images using LWP from a remote site and then display them on the web page. All very simple stuff. However, it now has problems fetching anything when used via http. However, if I use the script from the server command line, as a regular user, then it fetches with no problems.
So, I've spent a day or two banging my head on the wall, but then eventually decided to see if it could be SELinux-related by temporarily setting SELinux to permissive mode. This transpired to work, and the script then worked exactly as it should do. FYI. I've now turned off permissive mode.
I thought I had the right permissions and contexts and everything on the file/directory, as everything else in the same dir works just fine. Obviously I'm missing some finer point about how SELinux works. The output below displays the dir and file permissions, etc.
If anyone is able to point me in the right direction then it would be much appreciated. Many thanks in advance.
I've just recently had to move a ton of scripts from an old server to an Azure cloud VM. I was pleased that I managed to get pretty much everything working and set up with SELinux without too many difficulties, but I've discovered one problematic Perl script.
The script is used in various websites to fetch images using LWP from a remote site and then display them on the web page. All very simple stuff. However, it now has problems fetching anything when used via http. However, if I use the script from the server command line, as a regular user, then it fetches with no problems.
So, I've spent a day or two banging my head on the wall, but then eventually decided to see if it could be SELinux-related by temporarily setting SELinux to permissive mode. This transpired to work, and the script then worked exactly as it should do. FYI. I've now turned off permissive mode.
I thought I had the right permissions and contexts and everything on the file/directory, as everything else in the same dir works just fine. Obviously I'm missing some finer point about how SELinux works. The output below displays the dir and file permissions, etc.
Code: Select all
drwx---r-x. apache apache unconfined_u:object_r:httpd_sys_script_exec_t:s0 cgi2
-rwx---r-x. apache apache unconfined_u:object_r:httpd_sys_script_exec_t:s0 test.cgi