[CentOS] selinux question

Tue Aug 21 21:20:06 UTC 2018
Warren Young <warren at etr-usa.com>

On Aug 21, 2018, at 1:27 PM, Nataraj <incoming-centos at rjl.com> wrote:
> I have a web application which uses sudo to invoke python scripts as the
> user under which the application runs (NO root access).

Why is the web app not running with that user’s permissions in the first place?

If your answer is that it needs root access to bind to port 80, there are two common solutions:

1. Start the service as root, set up the port 80 listener, then drop privileges internally with getpwent(“myuser”) and setuid(my_uid).

2. Use an HTTP[S] proxy server, such as Apache with mod_proxy configured.  Bind the actual web app to localhost and a high-numbered random port, then forward external port 80 hits to the internal service.  This method has the additional advantage that you can use the path part of the URL to relieves the web app of having to serve hits for the static resources — *.js, *.png, *.css… — which can speed the application up.