rpms/mod_fcgid/F-7 fastcgi-2.5.te, NONE, 1.1 mod_fcgid-2.1-README.RPM, NONE, 1.1 fastcgi.te, 1.1, 1.2 mod_fcgid-2.1-README.SELinux, 1.1, 1.2 mod_fcgid.spec, 1.4, 1.5 mod_fcgid-2.1-README.Fedora, 1.1, NONE

Paul Howarth (pghmcfc) fedora-extras-commits at redhat.com
Fri Jun 15 17:14:45 UTC 2007


Author: pghmcfc

Update of /cvs/pkgs/rpms/mod_fcgid/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4976

Modified Files:
	fastcgi.te mod_fcgid-2.1-README.SELinux mod_fcgid.spec 
Added Files:
	fastcgi-2.5.te mod_fcgid-2.1-README.RPM 
Removed Files:
	mod_fcgid-2.1-README.Fedora 
Log Message:
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares
and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP
servers

Fix for SELinux policy on Fedora 7, which didn't work due to changes in the
permissions macros in the underlying selinux-policy package

Add RHEL5 with SELinux support

Rename README.Fedora to README.RPM



--- NEW FILE fastcgi-2.5.te ---
policy_module(fastcgi, 0.2.0)

type httpd_fastcgi_sock_t;
files_type(httpd_fastcgi_sock_t)

require {
	type devpts_t;
	type httpd_t;
	type httpd_config_t;
	type httpd_log_t;
	type httpd_sys_script_exec_t;
	type httpd_sys_content_t;
};

# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================

apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)

## <desc>
## <p>
## Allow FastCGI applications to write to public content 
## </p>
## </desc>
gen_tunable(allow_httpd_fastcgi_script_anon_write,false)

## <desc>
## <p>
## Allow FastCGI applications to make outbound SMTP connections
## </p>
## </desc>
gen_tunable(httpd_fastcgi_can_sendmail,false)

tunable_policy(`allow_httpd_fastcgi_script_anon_write',`
	miscfiles_manage_public_files(httpd_fastcgi_script_t)
')

tunable_policy(`httpd_fastcgi_can_sendmail',`
	corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
	corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
')

# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_fastcgi_script_t)

# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };

# Allow FastCGI applications to read the routing table
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };

# Allow httpd to create and use sockets for communicating with mod_fcgid
manage_sock_files_pattern(httpd_t,httpd_fastcgi_sock_t,httpd_fastcgi_sock_t)
allow httpd_t httpd_fastcgi_sock_t:dir { setattr };

# Allow httpd to read httpd_fastcgi_content_t
allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;

# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;

# ======================================================
# Equivalent policy cribbed from httpd_sys_script_t
# ======================================================

dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;

fs_search_auto_mountpoints(httpd_fastcgi_script_t)

files_search_var_lib(httpd_fastcgi_script_t)
files_search_spool(httpd_fastcgi_script_t)

# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_fastcgi_script_t)

ifdef(`distro_redhat',`
	allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
')

ifdef(`targeted_policy',`
	tunable_policy(`httpd_enable_homedirs',`
		userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
	')
')

tunable_policy(`httpd_use_nfs', `
	fs_read_nfs_files(httpd_fastcgi_script_t)
	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
	fs_read_nfs_files(httpd_fastcgi_script_t)
	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
')

tunable_policy(`httpd_use_cifs', `
	fs_read_cifs_files(httpd_fastcgi_script_t)
	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
')

tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
	fs_read_cifs_files(httpd_fastcgi_script_t)
	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
')

optional_policy(`
	mysql_stream_connect(httpd_fastcgi_script_t)
	mysql_rw_db_sockets(httpd_fastcgi_script_t)
')

optional_policy(`
	clamav_domtrans_clamscan(httpd_fastcgi_script_t)
')



--- NEW FILE mod_fcgid-2.1-README.RPM ---
Using the mod_fcgid RPM Package
===============================

This mod_fcgid package includes a configuration file
/etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and
added as the handler for .fcg, .fcgi, and .fpl applications (provided
mod_fastcgi in not already loaded, in which case you will need to decide which
module should handle which types of application).

So far the module package has only been tested in conjunction with the "moin"
wiki application. Further feedback regarding other applications is welcome.

Setting up moin with mod_fcgid
==============================

Setting up moin with mod_fcgid is very similar to setting it up as a regular
CGI application.

 * Create a directory for your wiki instance:

    DESTDIR=/var/www/mywiki
    mkdir -p $DESTDIR/cgi-bin

 * Copy in the wiki template data and the application itself:

    cp -a /usr/share/moin/{data,underlay} $DESTDIR
    cp -a /usr/share/moin/server/moin.fcg $DESTDIR/cgi-bin
    cp -a /usr/share/moin/config/wikiconfig.py $DESTDIR/cgi-bin

 * Fix the directory ownership

    chown -R apache:apache $DESTDIR/{data,underlay}

 * Edit $DESTDIR/cgi-bin/wikiconfig.py to suit your needs

 * Create a httpd configuration file for the wiki, e.g.
   /etc/httpd/conf.d/mywiki.conf

    # Wiki application data common to all wiki instances
    Alias /wiki/ "/usr/share/moin/htdocs/"
    <Directory "/usr/share/moin/htdocs/">
      Options Indexes FollowSymLinks
      AllowOverride None
      Order allow,deny
      Allow from all
    </Directory>

    # Wiki instance with mod_fcgid
    <IfModule mod_fcgid.c>
      ScriptAlias /mywiki "/var/www/mywiki/cgi-bin/moin.fcg"
      <Directory "/var/www/mywiki/cgi-bin/">
        Options Indexes FollowSymLinks ExecCGI
        AllowOverride None
        Order allow,deny
        Allow from all
      </Directory>
    </IfModule>

 * If you are using SELinux with Fedora Core 5 or later, or Red Hat Enterprise
   Linux 5 or later, install the mod_fcgid-selinux package and see the
   README.SELinux file in that package for details of the file contexts to use

 * Restart the web server to load the new configuration:

   service httpd restart

That should do it!


Index: fastcgi.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/F-7/fastcgi.te,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- fastcgi.te	6 Sep 2006 13:08:59 -0000	1.1
+++ fastcgi.te	15 Jun 2007 17:14:10 -0000	1.2
@@ -1,4 +1,4 @@
-policy_module(fastcgi, 0.1.6)
+policy_module(fastcgi, 0.1.7)
 
 type httpd_fastcgi_sock_t;
 files_type(httpd_fastcgi_sock_t)
@@ -19,6 +19,18 @@
 apache_content_template(fastcgi)
 kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
 
+## <desc>
+## <p>
+## Allow FastCGI applications to make outbound SMTP connections
+## </p>
+## </desc>
+gen_tunable(httpd_fastcgi_can_sendmail,false)
+
+tunable_policy(`httpd_fastcgi_can_sendmail',`
+	corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
+	corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
+')
+
 # Allow FastCGI applications to do DNS lookups
 sysnet_dns_name_resolve(httpd_fastcgi_script_t)
 
@@ -55,9 +67,14 @@
 
 dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
 
+fs_search_auto_mountpoints(httpd_fastcgi_script_t)
+
 files_search_var_lib(httpd_fastcgi_script_t)
 files_search_spool(httpd_fastcgi_script_t)
 
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
+
 ifdef(`distro_redhat',`
 	allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
 ')
@@ -68,8 +85,22 @@
 	')
 ')
 
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_fastcgi_script_t)
+	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_fastcgi_script_t)
+	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
+')
+
 optional_policy(`
 	mysql_stream_connect(httpd_fastcgi_script_t)
 	mysql_rw_db_sockets(httpd_fastcgi_script_t)
 ')
 
+optional_policy(`
+	clamav_domtrans_clamscan(httpd_fastcgi_script_t)
+')
+


Index: mod_fcgid-2.1-README.SELinux
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/F-7/mod_fcgid-2.1-README.SELinux,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- mod_fcgid-2.1-README.SELinux	16 Feb 2007 14:20:03 -0000	1.1
+++ mod_fcgid-2.1-README.SELinux	15 Jun 2007 17:14:10 -0000	1.2
@@ -1,10 +1,11 @@
-Using mod_fcgid with SELinux in Fedora Core 5 onwards
-=====================================================
+Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
+==============================================================
 
-Versions of this package built for Fedora Core 5 or later include an SELinux
-policy module to support FastCGI applications. This has only been tested so far
-with moin, so feedback from other applications is welcome. The intention is for
-this module to be included in the SELinux reference policy eventually.
+Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5
+or later include an SELinux policy module to support FastCGI applications.
+This has only been tested so far with moin, so feedback from other applications
+is welcome. The intention is for this module to be included in the SELinux
+reference policy eventually.
 
 The module source (fastcgi.{fc,te}) is included for reference as documentation
 in the package.
@@ -36,7 +37,7 @@
    httpd_fastcgi_script_exec_t scripts to read/append to the file, and
    disallow other non-fastcgi scripts from access.
 
-So for the moin wiki layout described in README.Fedora of the main mod_fcgid
+So for the moin wiki layout described in README.RPM of the main mod_fcgid
 package, the contexts would be set as follows:
 
     cd /var/www/mywiki
@@ -56,6 +57,16 @@
 useful if you have a mixture of CGI and FastCGI applications accessing the
 same data.
 
+The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your
+FastCGI applications can make outbound SMTP connections (e.g. moin sending
+notifications). By default it is off, but can be enabled as follows:
+
+    setsebool -P httpd_fastcgi_can_sendmail 1
+
+Only enable this functionality if you actually need it, since it increases the
+chances that any vulnerability in any of your FastCGI applications could be
+exploited by a spammer.
+
 If you have any questions or issues regarding FastCGI and SELinux, please don't
 hesitate to bring them up on fedora-selinux-list.
 


Index: mod_fcgid.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/F-7/mod_fcgid.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- mod_fcgid.spec	16 Feb 2007 14:20:03 -0000	1.4
+++ mod_fcgid.spec	15 Jun 2007 17:14:10 -0000	1.5
@@ -1,5 +1,5 @@
-# FC5 and later include SELinux policy module packages
-%if 0%{?fedora} < 5
+# FC5, RHEL5 and later include SELinux policy module packages
+%if 0%{?fedora}%{?rhel} < 5
 %define selinux_module 0
 %define selinux_variants %{nil}
 %define selinux_buildreqs %{nil}
@@ -11,7 +11,7 @@
 
 Name:           mod_fcgid
 Version:        2.1
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        Apache2 module for high-performance server-side scripting 
 Group:          System Environment/Daemons
 License:        GPL
@@ -20,10 +20,11 @@
 Source1:        fcgid.conf
 Source2:        fastcgi.te
 Source3:        fastcgi.fc
-Source4:        mod_fcgid-2.1-README.Fedora
+Source4:        mod_fcgid-2.1-README.RPM
 Source5:        http://fastcgi.coremail.cn/doc.htm
 Source6:        http://fastcgi.coremail.cn/configuration.htm
 Source7:        mod_fcgid-2.1-README.SELinux
+Source8:        fastcgi-2.5.te
 Patch0:         mod_fcgid.2.1-docurls.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  httpd-devel >= 2.0
@@ -36,7 +37,8 @@
 as possible.
 
 %if %{selinux_module}
-%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
+%define selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
+%define selinux_policynum %(echo %{selinux_policyver} | %{__awk} -F. '{ printf "%d%02d%02d", $1, $2, $3 }')
 %package selinux
 Summary:          SELinux policy module supporting FastCGI applications with mod_fcgid
 Group:            System Environment/Base
@@ -61,9 +63,13 @@
 %prep
 %setup -q -n mod_fcgid.%{version}
 %{__cp} -p %{SOURCE1} fcgid.conf
+%if 0%{?selinux_policynum} < 20501
 %{__cp} -p %{SOURCE2} fastcgi.te
+%else
+%{__cp} -p %{SOURCE8} fastcgi.te
+%endif
 %{__cp} -p %{SOURCE3} fastcgi.fc
-%{__cp} -p %{SOURCE4} README.Fedora
+%{__cp} -p %{SOURCE4} README.RPM
 %{__cp} -p %{SOURCE5} directives.htm
 %{__cp} -p %{SOURCE6} configuration.htm
 %{__cp} -p %{SOURCE7} README.SELinux
@@ -136,10 +142,10 @@
 %files
 %defattr(-,root,root,-)
 %doc ChangeLog AUTHOR COPYING configuration.htm directives.htm
-%doc README.Fedora
+%doc README.RPM
 %{_libdir}/httpd/modules/mod_fcgid.so
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/fcgid.conf
-%dir %attr(0755,apache,apache) %{_localstatedir}/run/mod_fcgid
+%dir %attr(0755,apache,apache) %{_localstatedir}/run/mod_fcgid/
 
 %if %{selinux_module}
 %files selinux
@@ -149,6 +155,17 @@
 %endif
 
 %changelog
+* Fri Jun 15 2007 Paul Howarth <paul at city-fan.org> 2.1-3
+- Major update of SELinux policy, supporting accessing data on NFS/CIFS shares
+  and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP
+  servers
+- Fix for SELinux policy on Fedora 7, which didn't work due to changes in the
+  permissions macros in the underlying selinux-policy package
+
+* Wed Mar 21 2007 Paul Howarth <paul at city-fan.org> 2.1-2
+- Add RHEL5 with SELinux support
+- Rename README.Fedora to README.RPM
+
 * Fri Feb 16 2007 Paul Howarth <paul at city-fan.org> 2.1-1
 - Update to 2.1
 - Update documentation and patches


--- mod_fcgid-2.1-README.Fedora DELETED ---




More information about the fedora-extras-commits mailing list