Hi Thanks to recent help from Alan Gauld and Felix Dietrich I have studied the 'classic Linux ' permissions to allow an Apache cgi script to connect to a Python Socket. Though I became convinced that the corrected permissions were correct the Python cgi script still would not work when
called from apache even though all was OK when the cgi script was executed directly by a user. I have found that SELinux provides further access constraints. The Fedora SELinux graphic tool and associated 'trouble shooter' parser of the SELinux audit file made suggestions that worked for TCPIP Sockets but failed for Unix Sockets. (I only experimented with Unix Sockets since I could not get TCPIP Sockets to work). Below is the textual response from the trouble shooter for TCPIP and Unix Socket connect failures . I found that assigning PORT_TYPE to dns_port_t worked for TCPIP sockets. SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket . If you want to allow /usr/bin/python2.7 to connect to network port 1080 you need to modify the port type. # semanage port -a -t PORT_TYPE -p tcp 1080 where PORT_TYPE is one of the following: dns_port_t, kerberos_port_t, ocsp_port_t. SELinux is preventing /usr/bin/python2.7 from write access on the sock_file /test/uds_socket. Plugin: catchall_labels you want to allow python2.7 to have write access on the uds_socket sock_fileIf you want to allow python2.7 to have write access on the uds_socket sock_file You need to change the label on /test/uds_socket # semanage fcontext -a -t FILE_TYPE '/test/uds_socket' where FILE_TYPE is one of the following: avahi_var_run_t, httpd_sys_rw_content_t, httpd_tmp_t, lsassd_var_socket_t, mysqld_db_t, mysqld_var_run_t, nscd_var_run_t, nslcd_var_run_t, pcscd_var_run_t, postgresql_tmp_t, postgresql_var_run_t, setrans_var_run_t, sssd_var_lib_t, winbind_var_run_t. Then execute: restorecon -v '/test/uds_socket' I hope this will be helpful to others wishing to use apache to connect to python sockets via cgi scripts. _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
