I've investigated this problem a bit more, as seeing as two monks had the problem, I'd expect it to be more widespeard as more people upgrade.
Someone can move this to a more appropriate section if required
This problem is definatly related to SELinux
I've installed FC9 as a test on WMware, which by default has SELinux installed. SELinux adds extra labels to every file to see if Apache can access them. So not only
do permissions control your access, but also SELinux, which is part of the Kernel.
Running that test program:
#!/bin/bash
host=$(/usr/bin/host maps.google.com)
cat <<!
Content-Type: text/plain
system (`ls -l /usr/bin/host`);
$host
!
If you then look in
cat /var/log/messages<br>
you'll see something like:
Sep 22 10:16:02 localhost setroubleshoot: SELinux is preventing ho
+st (httpd_sys_script_t) "create" to <Unknown> (httpd_sys_script_t). F
+or complete SELinux ....
Now, the easy solution is to disable SELinux. Tempting. Very tempting. But bad.
To see if SELinux is currently on:
cat /selinux/enforce
If you get a '1' back, it's on.
If you disable it and run that test program again, you'll see it works now under cgi!
to disable it, log in as root:
echo 0 >/selinux/enforce
access the test cgi program via a web browser, and it should now work.
to reenable it
echo 1 >/selinux/enforce
thanks for spotting the typo Jethro
Do not turn it off for any length of time, as a total relabeling of the system will be required
The above instructions put it into permissve mode, which, it you just do it quickly, shouldn't affect your security too much.
From the doco,
"Detailed Description:
SELinux denied access requested by host. It is not expected that this access is
required by host and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access."
SELinux doco also states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism.
I'd say that those modules (LWP, etc) that access DNS would need to put out some sort of permission error if it is denied...
Basically,you can see the extra SELinux labels on files by: ls -Z *
In the case of /usr/bin/host, you get
exe="/usr/bin/host" subj=unconfined_u:system_r:httpd_sys_script_t:s0
it is not owned or accessible to any cgi scripts. For that to happen, they need to have
httpd_sys_script_exec_t permissions...or a local exclusion policy.
SELinux is blocking httpd processes from connecting to the net (probably to stop hackers from attacking other machines from httpd)
Because I'm running short of time now, this sledge hammer approach will fix that:
setsebool -P httpd_can_network_connect 1
The better way is to generate a local exclusion policy
audit2allow -a
see http://www.crypt.gen.nz/selinux/faq.html#BSP.3 for more info on doing this... I've spent enough time on it...Life is too short for SELinux
hope this helps.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.