FastCGI applications

Paul Howarth paul at city-fan.org
Mon May 15 13:44:52 UTC 2006 

I've just moved my personal moin wiki from mod_python to FastCGI for 
performance reasons (it's well worth it!). For people that don't know, 
FastCGI works by starting up one or more copies of a CGI application and 
then keeping them running, passing requests from server to application 
over a socket. This avoids the startup overhead of the CGI application 
for each request that is necessary with regular CGI.

I needed the policy module below to get it working. I'm not sure what 
exactly all of the "allows" are allowing, so advice would be welcome 
(sample AVCs included).

Regarding support for FastCGI in the standard policy, perhaps 
appropriate rules could be added under a boolean httpd_enable_fastcgi or 
even added to the features enabled with httpd_enable_cgi?

policy_module(apache, 0.1.0)

require {
         type httpd_sys_script_t;
         type httpd_log_t;
         type httpd_t;
         type devpts_t;
         type var_run_t;
};

# ==========================================================
# Needed for mod_fcgid
# ==========================================================

# This is the FastCGI application doing something to the httpd error log
# ----------------------------------------------------------------------
#type=AVC msg=audit(1147697748.197:15226): avc:  denied  { ioctl } for 
pid=15684 comm="python" name="error_log" dev=dm-4 ino=851988 
scontext=user_u:system_r:httpd_sys_script_t:s0 
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
#type=SYSCALL msg=audit(1147697748.197:15226): arch=40000003 syscall=54 
success=no exit=-25 a0=1 a1=5401 a2=bffd4cf8 a3=bffd4d38 items=0 
pid=15684 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 
sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
#type=AVC_PATH msg=audit(1147697748.197:15226): 
path="/var/log/httpd/error_log"
allow httpd_sys_script_t httpd_log_t:file ioctl;

# This is the FastCGI application listening for FastCGI requests on its 
socket
allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr 
ioctl listen };

# Not sure what this is doing
# ---------------------------
#type=AVC msg=audit(1147699050.131:15341): avc:  denied  { ioctl } for 
pid=16705 comm="httpd" name="2" dev=devpts ino=4 
scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:devpts_t:s0 
tclass=chr_file
#type=SYSCALL msg=audit(1147699050.131:15341): arch=40000003 syscall=54 
success=yes exit=0 a0=0 a1=5401 a2=bff4ee38 a3=bff4ee78 items=0 
pid=16705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
#type=AVC_PATH msg=audit(1147699050.131:15341):  path="/dev/pts/2"
allow httpd_t devpts_t:chr_file ioctl;
# perhaps it should be term_ioctl_generic_ptys(httpd_t)

# mod_fcgid setting attr of its socket dir
# ---------------------------------------- # type=AVC 
msg=audit(1147697688.037:15216): avc:  denied  { setattr } for 
pid=15656 comm="httpd" name="mod_fcgid" dev=dm-4 ino=458818 
scontext=user_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=dir # type=SYSCALL 
msg=audit(1147697688.037:15216): arch=40000003 syscall=212 success=yes 
exit=0 a0=91aa148 a1=30 a2=ffffffff a3=30 items=1 pid=15656 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="httpd" exe="/usr/sbin/httpd"
# type=CWD msg=audit(1147697688.037:15216):  cwd="/" # type=PATH 
msg=audit(1147697688.037:15216): item=0 name="/etc/httpd/run/mod_fcgid" 
flags=1  inode=458818 dev=fd:04 mode=040755 ouid=48 ogid=48 rdev=00:00
allow httpd_t var_run_t:dir setattr;


Paul.

More information about the fedora-selinux-list mailing list