rpms/mod_fcgid/F-7 fastcgi-2.5.te, NONE, 1.1 mod_fcgid-2.1-README.RPM, NONE, 1.1 fastcgi.te, 1.1, 1.2 mod_fcgid-2.1-README.SELinux, 1.1, 1.2 mod_fcgid.spec, 1.4, 1.5 mod_fcgid-2.1-README.Fedora, 1.1, NONE
Paul Howarth (pghmcfc)
fedora-extras-commits at redhat.com
Fri Jun 15 17:14:45 UTC 2007
Author: pghmcfc
Update of /cvs/pkgs/rpms/mod_fcgid/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4976
Modified Files:
fastcgi.te mod_fcgid-2.1-README.SELinux mod_fcgid.spec
Added Files:
fastcgi-2.5.te mod_fcgid-2.1-README.RPM
Removed Files:
mod_fcgid-2.1-README.Fedora
Log Message:
Major update of SELinux policy, supporting accessing data on NFS/CIFS shares
and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP
servers
Fix for SELinux policy on Fedora 7, which didn't work due to changes in the
permissions macros in the underlying selinux-policy package
Add RHEL5 with SELinux support
Rename README.Fedora to README.RPM
--- NEW FILE fastcgi-2.5.te ---
policy_module(fastcgi, 0.2.0)
type httpd_fastcgi_sock_t;
files_type(httpd_fastcgi_sock_t)
require {
type devpts_t;
type httpd_t;
type httpd_config_t;
type httpd_log_t;
type httpd_sys_script_exec_t;
type httpd_sys_content_t;
};
# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================
apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
## <desc>
## <p>
## Allow FastCGI applications to write to public content
## </p>
## </desc>
gen_tunable(allow_httpd_fastcgi_script_anon_write,false)
## <desc>
## <p>
## Allow FastCGI applications to make outbound SMTP connections
## </p>
## </desc>
gen_tunable(httpd_fastcgi_can_sendmail,false)
tunable_policy(`allow_httpd_fastcgi_script_anon_write',`
miscfiles_manage_public_files(httpd_fastcgi_script_t)
')
tunable_policy(`httpd_fastcgi_can_sendmail',`
corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
')
# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_fastcgi_script_t)
# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
# Allow FastCGI applications to read the routing table
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow httpd to create and use sockets for communicating with mod_fcgid
manage_sock_files_pattern(httpd_t,httpd_fastcgi_sock_t,httpd_fastcgi_sock_t)
allow httpd_t httpd_fastcgi_sock_t:dir { setattr };
# Allow httpd to read httpd_fastcgi_content_t
allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;
# ======================================================
# Equivalent policy cribbed from httpd_sys_script_t
# ======================================================
dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
fs_search_auto_mountpoints(httpd_fastcgi_script_t)
files_search_var_lib(httpd_fastcgi_script_t)
files_search_spool(httpd_fastcgi_script_t)
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
ifdef(`distro_redhat',`
allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
')
ifdef(`targeted_policy',`
tunable_policy(`httpd_enable_homedirs',`
userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
')
')
tunable_policy(`httpd_use_nfs', `
fs_read_nfs_files(httpd_fastcgi_script_t)
fs_read_nfs_symlinks(httpd_fastcgi_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_fastcgi_script_t)
fs_read_nfs_symlinks(httpd_fastcgi_script_t)
')
tunable_policy(`httpd_use_cifs', `
fs_read_cifs_files(httpd_fastcgi_script_t)
fs_read_cifs_symlinks(httpd_fastcgi_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_fastcgi_script_t)
fs_read_cifs_symlinks(httpd_fastcgi_script_t)
')
optional_policy(`
mysql_stream_connect(httpd_fastcgi_script_t)
mysql_rw_db_sockets(httpd_fastcgi_script_t)
')
optional_policy(`
clamav_domtrans_clamscan(httpd_fastcgi_script_t)
')
--- NEW FILE mod_fcgid-2.1-README.RPM ---
Using the mod_fcgid RPM Package
===============================
This mod_fcgid package includes a configuration file
/etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and
added as the handler for .fcg, .fcgi, and .fpl applications (provided
mod_fastcgi in not already loaded, in which case you will need to decide which
module should handle which types of application).
So far the module package has only been tested in conjunction with the "moin"
wiki application. Further feedback regarding other applications is welcome.
Setting up moin with mod_fcgid
==============================
Setting up moin with mod_fcgid is very similar to setting it up as a regular
CGI application.
* Create a directory for your wiki instance:
DESTDIR=/var/www/mywiki
mkdir -p $DESTDIR/cgi-bin
* Copy in the wiki template data and the application itself:
cp -a /usr/share/moin/{data,underlay} $DESTDIR
cp -a /usr/share/moin/server/moin.fcg $DESTDIR/cgi-bin
cp -a /usr/share/moin/config/wikiconfig.py $DESTDIR/cgi-bin
* Fix the directory ownership
chown -R apache:apache $DESTDIR/{data,underlay}
* Edit $DESTDIR/cgi-bin/wikiconfig.py to suit your needs
* Create a httpd configuration file for the wiki, e.g.
/etc/httpd/conf.d/mywiki.conf
# Wiki application data common to all wiki instances
Alias /wiki/ "/usr/share/moin/htdocs/"
<Directory "/usr/share/moin/htdocs/">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# Wiki instance with mod_fcgid
<IfModule mod_fcgid.c>
ScriptAlias /mywiki "/var/www/mywiki/cgi-bin/moin.fcg"
<Directory "/var/www/mywiki/cgi-bin/">
Options Indexes FollowSymLinks ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</IfModule>
* If you are using SELinux with Fedora Core 5 or later, or Red Hat Enterprise
Linux 5 or later, install the mod_fcgid-selinux package and see the
README.SELinux file in that package for details of the file contexts to use
* Restart the web server to load the new configuration:
service httpd restart
That should do it!
Index: fastcgi.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/F-7/fastcgi.te,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- fastcgi.te 6 Sep 2006 13:08:59 -0000 1.1
+++ fastcgi.te 15 Jun 2007 17:14:10 -0000 1.2
@@ -1,4 +1,4 @@
-policy_module(fastcgi, 0.1.6)
+policy_module(fastcgi, 0.1.7)
type httpd_fastcgi_sock_t;
files_type(httpd_fastcgi_sock_t)
@@ -19,6 +19,18 @@
apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
+## <desc>
+## <p>
+## Allow FastCGI applications to make outbound SMTP connections
+## </p>
+## </desc>
+gen_tunable(httpd_fastcgi_can_sendmail,false)
+
+tunable_policy(`httpd_fastcgi_can_sendmail',`
+ corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
+ corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
+')
+
# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_fastcgi_script_t)
@@ -55,9 +67,14 @@
dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
+fs_search_auto_mountpoints(httpd_fastcgi_script_t)
+
files_search_var_lib(httpd_fastcgi_script_t)
files_search_spool(httpd_fastcgi_script_t)
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
+
ifdef(`distro_redhat',`
allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
')
@@ -68,8 +85,22 @@
')
')
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_fastcgi_script_t)
+ fs_read_nfs_symlinks(httpd_fastcgi_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_fastcgi_script_t)
+ fs_read_cifs_symlinks(httpd_fastcgi_script_t)
+')
+
optional_policy(`
mysql_stream_connect(httpd_fastcgi_script_t)
mysql_rw_db_sockets(httpd_fastcgi_script_t)
')
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_fastcgi_script_t)
+')
+
Index: mod_fcgid-2.1-README.SELinux
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/F-7/mod_fcgid-2.1-README.SELinux,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- mod_fcgid-2.1-README.SELinux 16 Feb 2007 14:20:03 -0000 1.1
+++ mod_fcgid-2.1-README.SELinux 15 Jun 2007 17:14:10 -0000 1.2
@@ -1,10 +1,11 @@
-Using mod_fcgid with SELinux in Fedora Core 5 onwards
-=====================================================
+Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
+==============================================================
-Versions of this package built for Fedora Core 5 or later include an SELinux
-policy module to support FastCGI applications. This has only been tested so far
-with moin, so feedback from other applications is welcome. The intention is for
-this module to be included in the SELinux reference policy eventually.
+Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5
+or later include an SELinux policy module to support FastCGI applications.
+This has only been tested so far with moin, so feedback from other applications
+is welcome. The intention is for this module to be included in the SELinux
+reference policy eventually.
The module source (fastcgi.{fc,te}) is included for reference as documentation
in the package.
@@ -36,7 +37,7 @@
httpd_fastcgi_script_exec_t scripts to read/append to the file, and
disallow other non-fastcgi scripts from access.
-So for the moin wiki layout described in README.Fedora of the main mod_fcgid
+So for the moin wiki layout described in README.RPM of the main mod_fcgid
package, the contexts would be set as follows:
cd /var/www/mywiki
@@ -56,6 +57,16 @@
useful if you have a mixture of CGI and FastCGI applications accessing the
same data.
+The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your
+FastCGI applications can make outbound SMTP connections (e.g. moin sending
+notifications). By default it is off, but can be enabled as follows:
+
+ setsebool -P httpd_fastcgi_can_sendmail 1
+
+Only enable this functionality if you actually need it, since it increases the
+chances that any vulnerability in any of your FastCGI applications could be
+exploited by a spammer.
+
If you have any questions or issues regarding FastCGI and SELinux, please don't
hesitate to bring them up on fedora-selinux-list.
Index: mod_fcgid.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/F-7/mod_fcgid.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- mod_fcgid.spec 16 Feb 2007 14:20:03 -0000 1.4
+++ mod_fcgid.spec 15 Jun 2007 17:14:10 -0000 1.5
@@ -1,5 +1,5 @@
-# FC5 and later include SELinux policy module packages
-%if 0%{?fedora} < 5
+# FC5, RHEL5 and later include SELinux policy module packages
+%if 0%{?fedora}%{?rhel} < 5
%define selinux_module 0
%define selinux_variants %{nil}
%define selinux_buildreqs %{nil}
@@ -11,7 +11,7 @@
Name: mod_fcgid
Version: 2.1
-Release: 1%{?dist}
+Release: 3%{?dist}
Summary: Apache2 module for high-performance server-side scripting
Group: System Environment/Daemons
License: GPL
@@ -20,10 +20,11 @@
Source1: fcgid.conf
Source2: fastcgi.te
Source3: fastcgi.fc
-Source4: mod_fcgid-2.1-README.Fedora
+Source4: mod_fcgid-2.1-README.RPM
Source5: http://fastcgi.coremail.cn/doc.htm
Source6: http://fastcgi.coremail.cn/configuration.htm
Source7: mod_fcgid-2.1-README.SELinux
+Source8: fastcgi-2.5.te
Patch0: mod_fcgid.2.1-docurls.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: httpd-devel >= 2.0
@@ -36,7 +37,8 @@
as possible.
%if %{selinux_module}
-%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
+%define selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
+%define selinux_policynum %(echo %{selinux_policyver} | %{__awk} -F. '{ printf "%d%02d%02d", $1, $2, $3 }')
%package selinux
Summary: SELinux policy module supporting FastCGI applications with mod_fcgid
Group: System Environment/Base
@@ -61,9 +63,13 @@
%prep
%setup -q -n mod_fcgid.%{version}
%{__cp} -p %{SOURCE1} fcgid.conf
+%if 0%{?selinux_policynum} < 20501
%{__cp} -p %{SOURCE2} fastcgi.te
+%else
+%{__cp} -p %{SOURCE8} fastcgi.te
+%endif
%{__cp} -p %{SOURCE3} fastcgi.fc
-%{__cp} -p %{SOURCE4} README.Fedora
+%{__cp} -p %{SOURCE4} README.RPM
%{__cp} -p %{SOURCE5} directives.htm
%{__cp} -p %{SOURCE6} configuration.htm
%{__cp} -p %{SOURCE7} README.SELinux
@@ -136,10 +142,10 @@
%files
%defattr(-,root,root,-)
%doc ChangeLog AUTHOR COPYING configuration.htm directives.htm
-%doc README.Fedora
+%doc README.RPM
%{_libdir}/httpd/modules/mod_fcgid.so
%config(noreplace) %{_sysconfdir}/httpd/conf.d/fcgid.conf
-%dir %attr(0755,apache,apache) %{_localstatedir}/run/mod_fcgid
+%dir %attr(0755,apache,apache) %{_localstatedir}/run/mod_fcgid/
%if %{selinux_module}
%files selinux
@@ -149,6 +155,17 @@
%endif
%changelog
+* Fri Jun 15 2007 Paul Howarth <paul at city-fan.org> 2.1-3
+- Major update of SELinux policy, supporting accessing data on NFS/CIFS shares
+ and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP
+ servers
+- Fix for SELinux policy on Fedora 7, which didn't work due to changes in the
+ permissions macros in the underlying selinux-policy package
+
+* Wed Mar 21 2007 Paul Howarth <paul at city-fan.org> 2.1-2
+- Add RHEL5 with SELinux support
+- Rename README.Fedora to README.RPM
+
* Fri Feb 16 2007 Paul Howarth <paul at city-fan.org> 2.1-1
- Update to 2.1
- Update documentation and patches
--- mod_fcgid-2.1-README.Fedora DELETED ---
More information about the fedora-extras-commits
mailing list