For Lyn’s CS 118 class he wants to get Python CGI scripts on tempest working. So he changed the SE Linux permissions for httpd_can_network_connect. This also solved the problem we were having with Eni’s PHP/python scripts working on puma but not on tempest. So.. thank you Lyn!
Here’s a transcript of his email, with a link to the article he referenced to figure this out.
Dear CS sysadmins —
For CS118, I need to get have python CGI scripts on tempest that can run urllib.urlopen().
Although python programs with this function run fine when executed as a normal user, they fail with the error IOError<urlopen error [Errno 13] Permission denied> when run in a CGI script. The article at
suggests this is due to the SELINUX flag httpd_can_network_relay being turned off and suggests turning it on. I tried this, and it did not solve the problem. But instead I tried turning on httpd_can_network_connect and this did solve the problem. However, the article http://beginlinux.com/blog/2009/05/apache-security-with-selinux/ warns that by default this is “Disabled to prevent hackers from attacking other machines from httpd.”
I don’t want to make tempest a haven for hackers. But I do want my CGI scripts to work. Is it problematic that I changed this flag? Is there a better way to fix this problem?
Below is a transcript of what I did.
[root@tempest ~] getsebool -a | grep httpd
…
httpd_can_network_connect –> off
…
[root@tempest ~] setsebool -P httpd_can_network_connect=1
[root@tempest ~] getsebool -a | grep httpd
…
httpd_can_network_connect –> on
…
– lyn –