And did you do anything to configure SELinux to allow httpd access as logs
point out is the problem?
BTW, giving write access to others, ie.,
-rwxrwxrwx. 1 apache apache 4 Apr 26 20:35 openme
is bad security practice.
It actually looks like you did 'chmod -r 0777 .' You should never blindly give
rwx permissions recursively to directories as it changes permissions on files
to stuff they don't need.
What I suggest you do if you are just starting out is to not configure your
system Apache at all. Instead use mod_wsgi-express and run it on a non
privileged port out of your own home directory.
https://pypi.org/project/mod-wsgi/ <https://pypi.org/project/mod-wsgi/>
http://blog.dscpl.com.au/2015/04/introducing-modwsgi-express.html
<http://blog.dscpl.com.au/2015/04/introducing-modwsgi-express.html>
Worry about using system Apache much later when you actually have a need to
permanently deploy it and must use system Apache.
Graham
> On 27 Apr 2020, at 12:51 pm, Mike Archbold <[email protected]> wrote:
>
> Hi,
>
> I have tried to understand the prior problems -- sorry, I can't figure it out
> from the priors. I'm a newbie to mod_wsgi and Apache trying to create a
> python server. I'm self-taught but totally stuck... thanks guys, at a dead
> end. It is something I am clueless about.
>
> ---------------------------------------
>
> *** This is the guts of the config.d file:
>
>
> Listen 80
> <VirtualHost *:80>
> DocumentRoot "/var/www/jsss/html"
> ServerName localhost:80
>
>
> WSGIDaemonProcess jsss processes=1 threads=1 display-name=%{GROUP}
> user=apache group=apache
> WSGIProcessGroup jsss
>
> WSGIScriptAlias / /var/www/jsss/jsss.wsgi
>
> <Directory /var/www/jsss/>
> Options All
> Require all granted
> </Directory>
>
>
>
> </VirtualHost>
>
> ---------------------------------------------------------------
>
> *** This is my main program, a single line, called from Apache, jsss_wsgi:
>
>
> from jsss_flask_rest import app as application
>
> ---------------------------------------------------------------
>
> *** this is the jsss_flask_rest program called from the single line jsss_wsgi:
>
>
> from flask import Flask, request
> from flask_restful import Resource, Api
> import subprocess
> import sys
> import base64
> import os
> import getpass
>
> app = Flask(__name__)
> api = Api(app)
>
> class jsss(Resource):
> def get(self):
>
> f = open("/var/www/jsss/openme","r+") <<<--- dies right here
>
> username = getpass.getuser()
>
> stdout_data = username
>
> return {"output>": stdout_data}
>
>
> api.add_resource(jsss, '/jsss')
>
> if __name__ == '__main__':
> app.run
>
> ---------------------------------------------------------------
>
> *** these are the permissions I set up for the test "openme" file. The apache
> should have read access to root.
>
> -rwxrwxrwx. 1 apache apache 4 Apr 26 20:35 openme
>
>
> ---------------------------------------------------------------
>
> *** error from apache:
>
> File "/usr/lib64/python3.6/site-packages/jsss_flask_rest.py", line 17, in get
> [Sun Apr 26 22:01:31.063590 2020] [wsgi:error] [pid 14886:tid
> 140318833870592] [remote ::1:37856] f = open("/var/www/jsss/openme","r+")
> [Sun Apr 26 22:01:31.063592 2020] [wsgi:error] [pid 14886:tid
> 140318833870592] [remote ::1:37856] PermissionError: [Errno 13] Permission
> denied: '/var/www/jsss/openme'
>
> -----------------------------------------------------------
>
> *** error from Linux:
>
> 22:01:34 setroubleshootd: SELinux is preventing /usr/sbin/httpd from write
> access on the file openme.
>
> ***** Plugin httpd_write_content (92.2 confidence) suggests ***************
>
> If you want to allow httpd to have write access on the openme file
> Then you need to change the label on 'openme'
> Do
> # semanage fcontext -a -t httpd_sys_rw_content_t 'openme'
> # restorecon -v 'openme'
>
> ***** Plugin catchall_boolean (7.83 confidence) suggests ******************
>
> If you want to allow httpd to unified
> Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
>
> Do
> setsebool -P httpd_unified 1
>
> ***** Plugin catchall (1.41 confidence) suggests **************************
>
> If you believe that httpd should be allowed write access on the openme file
> by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'httpd' --raw | audit2allow -M my-httpd
> # semodule -X 300 -i my-httpd.pp
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/modwsgi/902c645a-05ca-4dc3-9f0c-51786ea3a668%40googlegroups.com
>
> <https://groups.google.com/d/msgid/modwsgi/902c645a-05ca-4dc3-9f0c-51786ea3a668%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/modwsgi/01AD31BA-9BCB-4986-B4F9-A4E85127847D%40gmail.com.
