rpms/mod_fcgid/devel fastcgi-2.5.te, 1.3, 1.4 fastcgi.fc, 1.2, 1.3 fastcgi.te, 1.4, 1.5 mod_fcgid-2.1-README.SELinux, 1.2, 1.3 mod_fcgid.spec, 1.12, 1.13
Paul Howarth
pghmcfc at fedoraproject.org
Wed Oct 22 10:32:04 UTC 2008
Author: pghmcfc
Update of /cvs/pkgs/rpms/mod_fcgid/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9793
Modified Files:
fastcgi-2.5.te fastcgi.fc fastcgi.te
mod_fcgid-2.1-README.SELinux mod_fcgid.spec
Log Message:
Merge fastcgi SELinux policy with system script policy
Index: fastcgi-2.5.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/fastcgi-2.5.te,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- fastcgi-2.5.te 14 Jan 2008 11:46:12 -0000 1.3
+++ fastcgi-2.5.te 22 Oct 2008 10:31:34 -0000 1.4
@@ -1,131 +1,137 @@
-policy_module(fastcgi, 0.2.2)
+# This policy module provides support for mod_fcgid using the httpd system script domain.
+# It provides "allow" rules that will overlap to varying degrees with selinux-policy
+# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
+# as updates for selinux-policy in Fedora 8, 9, and 10.
+#
+# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
+# which is now an alias for httpd_sys_script_t.
-type httpd_fastcgi_var_run_t;
-files_type(httpd_fastcgi_var_run_t)
+policy_module(fastcgi, 0.2.6)
require {
type devpts_t;
type httpd_t;
type httpd_config_t;
type httpd_log_t;
- type httpd_sys_script_exec_t;
type httpd_sys_content_t;
+ type httpd_sys_content_ra_t;
+ type httpd_sys_content_ro_t;
+ type httpd_sys_content_rw_t;
+ type httpd_sys_script_exec_t;
+ type httpd_sys_script_ra_t;
+ type httpd_sys_script_ro_t;
+ type httpd_sys_script_rw_t;
+ type httpd_sys_script_t;
type httpd_tmp_t;
+ type httpd_var_run_t;
};
+# Type aliases for contexts used with older policy modules
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
+typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;
+typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
+
# ==========================================================
-# Create and use httpd_fastcgi_script_t for mod_fcgid apps
+# Re-use httpd_sys_script_t for mod_fcgid apps
# ==========================================================
-apache_content_template(fastcgi)
-kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
-
-## <desc>
-## <p>
-## Allow FastCGI applications to write to public content
-## </p>
-## </desc>
-gen_tunable(allow_httpd_fastcgi_script_anon_write,false)
-
-## <desc>
-## <p>
-## Allow FastCGI applications to make outbound SMTP connections
-## </p>
-## </desc>
-gen_tunable(httpd_fastcgi_can_sendmail,false)
-
-tunable_policy(`allow_httpd_fastcgi_script_anon_write',`
- miscfiles_manage_public_files(httpd_fastcgi_script_t)
-')
-
-tunable_policy(`httpd_fastcgi_can_sendmail',`
- corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
- corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
-')
+# Included in selinux-policy 2.6.4 (F7)
+#kernel_read_kernel_sysctls(httpd_sys_script_t)
# Allow FastCGI applications to do DNS lookups
-sysnet_dns_name_resolve(httpd_fastcgi_script_t)
-
-# Allow FastCGI applications to live alongside regular CGI apps
-allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
-allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
+sysnet_dns_name_resolve(httpd_sys_script_t)
# Allow FastCGI applications to read the routing table
-allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
+allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
-manage_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
-manage_sock_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
-setattr_dirs_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
-
-# Allow httpd to read httpd_fastcgi_content_t
-allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
-read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
-read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
+# Included in selinux-policy 2.6.4 (F7) apart from dir setattr
+#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
+#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
+setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
+
+# Allow httpd to read httpd_sys_content_t
+# Included in selinux-policy 2.6.4 (F7)
+#allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
+#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
-allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
# These are probably leaked file descriptors
dontaudit httpd_t devpts_t:chr_file ioctl;
-dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
+dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
# ======================================================
-# Equivalent policy cribbed from httpd_sys_script_t
+# Rules cribbed from recent httpd_sys_script_t policy
# ======================================================
-dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
-
-fs_search_auto_mountpoints(httpd_fastcgi_script_t)
+# Included in selinux-policy 2.6.4 (F7)
+#dontaudit httpd_sys_script_t httpd_config_t:dir search;
+#
+#fs_search_auto_mountpoints(httpd_sys_script_t)
# PHP uploads a file to /tmp and then execs programs to action them
-manage_dirs_pattern(httpd_fastcgi_script_t,httpd_tmp_t,httpd_tmp_t)
-manage_files_pattern(httpd_fastcgi_script_t,httpd_tmp_t,httpd_tmp_t)
-files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-
-files_search_var_lib(httpd_fastcgi_script_t)
-files_search_spool(httpd_fastcgi_script_t)
+# Included in selinux-policy 2.6.4 (F7) apart from filetrans
+#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
+#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
+
+# Included in selinux-policy 2.6.4 (F7)
+#files_search_var_lib(httpd_sys_script_t)
+#files_search_spool(httpd_sys_script_t)
# Should we add a boolean?
-apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
+# Included in selinux-policy 2.6.4 (F7)
+#apache_domtrans_rotatelogs(httpd_sys_script_t)
-ifdef(`distro_redhat',`
- allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
-')
-
-ifdef(`targeted_policy',`
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
- ')
-')
-
-tunable_policy(`httpd_use_nfs', `
- fs_read_nfs_files(httpd_fastcgi_script_t)
- fs_read_nfs_symlinks(httpd_fastcgi_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_files(httpd_fastcgi_script_t)
- fs_read_nfs_symlinks(httpd_fastcgi_script_t)
-')
-
-tunable_policy(`httpd_use_cifs', `
- fs_read_cifs_files(httpd_fastcgi_script_t)
- fs_read_cifs_symlinks(httpd_fastcgi_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(httpd_fastcgi_script_t)
- fs_read_cifs_symlinks(httpd_fastcgi_script_t)
-')
-
-optional_policy(`
- mysql_stream_connect(httpd_fastcgi_script_t)
- mysql_rw_db_sockets(httpd_fastcgi_script_t)
-')
-
-optional_policy(`
- clamav_domtrans_clamscan(httpd_fastcgi_script_t)
-')
+# Included in selinux-policy 2.6.4 (F7)
+#ifdef(`distro_redhat',`
+# allow httpd_sys_script_t httpd_log_t:file { getattr append };
+#')
+#
+#ifdef(`targeted_policy',`
+# tunable_policy(`httpd_enable_homedirs',`
+# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
+# ')
+#')
+#
+#tunable_policy(`httpd_use_nfs', `
+# fs_read_nfs_files(httpd_sys_script_t)
+# fs_read_nfs_symlinks(httpd_sys_script_t)
+#')
+#
+#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+# fs_read_nfs_files(httpd_sys_script_t)
+# fs_read_nfs_symlinks(httpd_sys_script_t)
+#')
+#
+#tunable_policy(`httpd_use_cifs', `
+# fs_read_cifs_files(httpd_sys_script_t)
+# fs_read_cifs_symlinks(httpd_sys_script_t)
+#')
+#
+#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+# fs_read_cifs_files(httpd_sys_script_t)
+# fs_read_cifs_symlinks(httpd_sys_script_t)
+#')
+#
+#optional_policy(`
+# mysql_stream_connect(httpd_sys_script_t)
+# mysql_rw_db_sockets(httpd_sys_script_t)
+#')
+#
+#optional_policy(`
+# clamav_domtrans_clamscan(httpd_sys_script_t)
+#')
Index: fastcgi.fc
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/fastcgi.fc,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- fastcgi.fc 14 Jan 2008 11:46:12 -0000 1.2
+++ fastcgi.fc 22 Oct 2008 10:31:34 -0000 1.3
@@ -1 +1 @@
-/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_fastcgi_var_run_t,s0)
+/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
Index: fastcgi.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/fastcgi.te,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- fastcgi.te 14 Jan 2008 11:46:12 -0000 1.4
+++ fastcgi.te 22 Oct 2008 10:31:34 -0000 1.5
@@ -1,111 +1,128 @@
-policy_module(fastcgi, 0.1.9)
+policy_module(fastcgi, 0.1.10)
-type httpd_fastcgi_var_run_t;
-files_type(httpd_fastcgi_var_run_t)
+# This policy module provides support for mod_fcgid using the httpd system script domain.
+# It provides "allow" rules that will overlap to varying degrees with selinux-policy
+# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
+# as updates for selinux-policy in Fedora 8, 9, and 10.
+#
+# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
+# which is now an alias for httpd_sys_script_t.
require {
type devpts_t;
type httpd_t;
- type httpd_config_t;
+ #type httpd_config_t;
type httpd_log_t;
- type httpd_sys_script_exec_t;
type httpd_sys_content_t;
+ type httpd_sys_content_ra_t;
+ type httpd_sys_content_ro_t;
+ type httpd_sys_content_rw_t;
+ type httpd_sys_script_exec_t;
+ type httpd_sys_script_ra_t;
+ type httpd_sys_script_ro_t;
+ type httpd_sys_script_rw_t;
+ type httpd_sys_script_t;
type httpd_tmp_t;
+ type httpd_var_run_t;
};
+# Type aliases for contexts used with older policy modules
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
+typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;
+typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
# ==========================================================
-# Create and use httpd_fastcgi_script_t for mod_fcgid apps
+# Re-use httpd_sys_script_t for mod_fcgid apps
# ==========================================================
-apache_content_template(fastcgi)
-kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
-
-## <desc>
-## <p>
-## Allow FastCGI applications to make outbound SMTP connections
-## </p>
-## </desc>
-gen_tunable(httpd_fastcgi_can_sendmail,false)
-
-tunable_policy(`httpd_fastcgi_can_sendmail',`
- corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
- corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
-')
+# Included in selinux-policy 2.3.7 (FC5)
+#kernel_read_kernel_sysctls(httpd_sys_script_t)
# Allow FastCGI applications to do DNS lookups
-sysnet_dns_name_resolve(httpd_fastcgi_script_t)
-
-# Allow FastCGI applications to live alongside regular CGI apps
-allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
-allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
+sysnet_dns_name_resolve(httpd_sys_script_t)
# Allow FastCGI applications to read the routing table
-allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
+allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
-allow httpd_t httpd_fastcgi_var_run_t:dir { rw_dir_perms setattr };
-allow httpd_t httpd_fastcgi_var_run_t:file { create_file_perms };
-allow httpd_t httpd_fastcgi_var_run_t:sock_file { create_file_perms };
+# Included in selinux-policy 2.3.7 (FC5) apart from dir setattr
+#allow httpd_t httpd_var_run_t:dir { rw_dir_perms setattr };
+#allow httpd_t httpd_var_run_t:file { create_file_perms };
+#allow httpd_t httpd_var_run_t:sock_file { create_file_perms };
+allow httpd_t httpd_var_run_t:dir setattr;
-# Allow httpd to read httpd_fastcgi_content_t
+# Allow httpd to read httpd_sys_content_t
# (shouldn't this be in the content template?)
-allow httpd_t httpd_fastcgi_content_t:dir r_dir_perms;
-allow httpd_t httpd_fastcgi_content_t:file r_file_perms;
-allow httpd_t httpd_fastcgi_content_t:lnk_file { getattr read };
+# Included in selinux-policy 2.3.7 (FC5)
+#allow httpd_t httpd_sys_content_t:dir r_dir_perms;
+#allow httpd_t httpd_sys_content_t:file r_file_perms;
+#allow httpd_t httpd_sys_content_t:lnk_file { getattr read };
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
-allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
# These are probably leaked file descriptors
dontaudit httpd_t devpts_t:chr_file ioctl;
-dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
+dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
# ======================================================
-# Equivalent policy cribbed from httpd_sys_script_t
+# Rules cribbed from recent httpd_sys_script_t policy
# ======================================================
-dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
+# Included in selinux-policy 2.3.7 (FC5)
+#dontaudit httpd_sys_script_t httpd_config_t:dir search;
-fs_search_auto_mountpoints(httpd_fastcgi_script_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
# PHP uploads a file to /tmp and then execs programs to action them
-allow httpd_fastcgi_script_t httpd_tmp_t:dir manage_dir_perms;
-allow httpd_fastcgi_script_t httpd_tmp_t:file manage_file_perms;
-files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-
-files_search_var_lib(httpd_fastcgi_script_t)
-files_search_spool(httpd_fastcgi_script_t)
+allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms;
+allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
+
+# Included in selinux-policy 2.3.7 (FC5)
+#files_search_var_lib(httpd_sys_script_t)
+#files_search_spool(httpd_sys_script_t)
# Should we add a boolean?
-apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
+# Included in selinux-policy 2.3.7 (FC5)
+#apache_domtrans_rotatelogs(httpd_sys_script_t)
-ifdef(`distro_redhat',`
- allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
-')
-
-ifdef(`targeted_policy',`
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
- ')
-')
+# Included in selinux-policy 2.3.7 (FC5)
+#ifdef(`distro_redhat',`
+# allow httpd_sys_script_t httpd_log_t:file { getattr append };
+#')
+#
+#ifdef(`targeted_policy',`
+# tunable_policy(`httpd_enable_homedirs',`
+# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
+# ')
+#')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_files(httpd_fastcgi_script_t)
- fs_read_nfs_symlinks(httpd_fastcgi_script_t)
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(httpd_fastcgi_script_t)
- fs_read_cifs_symlinks(httpd_fastcgi_script_t)
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
')
-optional_policy(`
- mysql_stream_connect(httpd_fastcgi_script_t)
- mysql_rw_db_sockets(httpd_fastcgi_script_t)
-')
-
-optional_policy(`
- clamav_domtrans_clamscan(httpd_fastcgi_script_t)
-')
+# Included in selinux-policy 2.3.7 (FC5)
+#optional_policy(`
+# mysql_stream_connect(httpd_sys_script_t)
+# mysql_rw_db_sockets(httpd_sys_script_t)
+#')
+#
+#optional_policy(`
+# clamav_domtrans_clamscan(httpd_sys_script_t)
+#')
Index: mod_fcgid-2.1-README.SELinux
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/mod_fcgid-2.1-README.SELinux,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- mod_fcgid-2.1-README.SELinux 15 Jun 2007 17:09:39 -0000 1.2
+++ mod_fcgid-2.1-README.SELinux 22 Oct 2008 10:31:34 -0000 1.3
@@ -4,67 +4,60 @@
Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5
or later include an SELinux policy module to support FastCGI applications.
This has only been tested so far with moin, so feedback from other applications
-is welcome. The intention is for this module to be included in the SELinux
-reference policy eventually.
+is welcome. The policy included here is a transitional policy that will soon
+be included in the selinux-policy package for Fedora 8 onwards, and the
+mod_fcgid-selinux package will be obsoleted when that happens.
The module source (fastcgi.{fc,te}) is included for reference as documentation
in the package.
-The module introduces a new set of SELinux types for FastCGI applications,
-comparable with the types described in "man httpd_selinux" for regular CGI
-scripts (or "system scripts" as they are known in SELinux):
+The module uses the same set of SELinux types for FastCGI applications as for
+regular CGI scripts (or "system scripts" as they are known in SELinux), as
+described in "man httpd_selinux".
- * httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)
- - Set files with httpd_fastcgi_content_t for content that is available
+ * httpd_sys_content_t
+ - Set files with httpd_sys_content_t for content that is available
from all FastCGI scripts and the daemon.
- * httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)
- - Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run
- with access to all fastcgi types.
-
- * httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)
- - Set files with httpd_fastcgi_script_ro_t if you want
- httpd_fastcgi_script_exec_t scripts to read the data, and disallow other
- non-fastcgi scripts from access.
-
- * httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)
- - Set files with httpd_fastcgi_script_rw_t if you want
- httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow
- other non-fastcgi scripts from access.
-
- * httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)
- - Set files with httpd_fastcgi_script_ra_t if you want
- httpd_fastcgi_script_exec_t scripts to read/append to the file, and
- disallow other non-fastcgi scripts from access.
+ * httpd_sys_script_exec_t
+ - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
+ with access to all system script types.
+
+ * httpd_sys_script_ro_t
+ - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
+ scripts to read but not write the data, and disallow other processes from
+ access.
+
+ * httpd_sys_script_rw_t
+ - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
+ scripts to read/write the data, and disallow other processes from access.
+
+ * httpd_sys_script_ra_t
+ - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
+ scripts to read/append to the file, and disallow other processes from
+ access.
So for the moin wiki layout described in README.RPM of the main mod_fcgid
package, the contexts would be set as follows:
cd /var/www/mywiki
- chcon -t httpd_fastcgi_content_t .
- chcon -R -t httpd_fastcgi_script_exec_t cgi-bin
- chcon -R -t httpd_fastcgi_script_rw_t data underlay
+ chcon -t httpd_sys_content_t .
+ chcon -R -t httpd_sys_script_exec_t cgi-bin
+ chcon -R -t httpd_sys_script_rw_t data underlay
It is necessary to turn on the httpd_enable_cgi boolean to run either regular
or FastCGI scripts:
setsebool -P httpd_enable_cgi 1
-If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access
-each other's data. This means that you only need to set the actual FastCGI
-scripts themselves to httpd_fastcgi_script_exec_t and can leave the file
-contexts for everything else set to the "sys" types if you prefer. This is
-useful if you have a mixture of CGI and FastCGI applications accessing the
-same data.
-
-The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your
-FastCGI applications can make outbound SMTP connections (e.g. moin sending
+The httpd_can_sendmail boolean is used to specify whether any of your
+web applications can make outbound SMTP connections (e.g. moin sending
notifications). By default it is off, but can be enabled as follows:
- setsebool -P httpd_fastcgi_can_sendmail 1
+ setsebool -P httpd_can_sendmail 1
Only enable this functionality if you actually need it, since it increases the
-chances that any vulnerability in any of your FastCGI applications could be
+chances that any vulnerability in any of your web applications could be
exploited by a spammer.
If you have any questions or issues regarding FastCGI and SELinux, please don't
Index: mod_fcgid.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/mod_fcgid.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- mod_fcgid.spec 24 Jul 2008 16:04:55 -0000 1.12
+++ mod_fcgid.spec 22 Oct 2008 10:31:34 -0000 1.13
@@ -1,9 +1,11 @@
-# FC5, RHEL5 and later include SELinux policy module packages
+# Fedora 5,6,7 and EPEL5 versions includes SELinux policy module package
+# Fedora 8,9,10 versions will include policy in errata selinux-policy releases
%if 0%{?fedora}%{?rhel} < 5
%define selinux_module 0
%define selinux_variants %{nil}
%define selinux_buildreqs %{nil}
%else
+# Temporarily build merged policy to make sure it works
%define selinux_module 1
%define selinux_variants mls strict targeted
%define selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
@@ -11,7 +13,7 @@
Name: mod_fcgid
Version: 2.2
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Apache2 module for high-performance server-side scripting
Group: System Environment/Daemons
License: GPL+
@@ -122,7 +124,7 @@
/usr/sbin/semodule -s ${selinuxvariant} -i \
%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || :
done
-# Fix up non-standard directory context
+# Fix up non-standard directory context from earlier packages
/sbin/restorecon -R %{_localstatedir}/run/mod_fcgid || :
%postun selinux
@@ -155,6 +157,10 @@
%endif
%changelog
+* Tue Oct 21 2008 Paul Howarth <paul at city-fan.org> 2.2-6
+- SELinux policy module rewritten to merge fastcgi and system script domains
+ in preparation for merge into main selinux-policy package (#462318)
+
* Thu Jul 24 2008 Paul Howarth <paul at city-fan.org> 2.2-5
- Tweak selinux-policy version detection macro to work with current Rawhide
More information about the fedora-extras-commits
mailing list