mod_fcgid/mod_fcgid-2.1-README.SELinux

Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
==============================================================

Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5
or later include an SELinux policy module to support FastCGI applications.
This has only been tested so far with moin, so feedback from other applications
is welcome. The intention is for this module to be included in the SELinux
reference policy eventually.

The module source (fastcgi.{fc,te}) is included for reference as documentation
in the package.

The module introduces a new set of SELinux types for FastCGI applications,
comparable with the types described in "man httpd_selinux" for regular CGI
scripts (or "system scripts" as they are known in SELinux):

 * httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)
 - Set files with httpd_fastcgi_content_t for content that is available
   from all FastCGI scripts and the daemon.

 * httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)
 - Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run
   with access to all fastcgi types.

 * httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)
 - Set files with httpd_fastcgi_script_ro_t if you want
   httpd_fastcgi_script_exec_t scripts to read the data, and disallow other
   non-fastcgi scripts from access.

 * httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)
 - Set files with httpd_fastcgi_script_rw_t if you want
   httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow
   other non-fastcgi scripts from access.

 * httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)
 - Set files with httpd_fastcgi_script_ra_t if you want
   httpd_fastcgi_script_exec_t scripts to read/append to the file, and
   disallow other non-fastcgi scripts from access.

So for the moin wiki layout described in README.RPM of the main mod_fcgid
package, the contexts would be set as follows:

    cd /var/www/mywiki
    chcon -t httpd_fastcgi_content_t .
    chcon -R -t httpd_fastcgi_script_exec_t cgi-bin
    chcon -R -t httpd_fastcgi_script_rw_t data underlay

It is necessary to turn on the httpd_enable_cgi boolean to run either regular
or FastCGI scripts:

    setsebool -P httpd_enable_cgi 1

If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access
each other's data. This means that you only need to set the actual FastCGI
scripts themselves to httpd_fastcgi_script_exec_t and can leave the file
contexts for everything else set to the "sys" types if you prefer. This is
useful if you have a mixture of CGI and FastCGI applications accessing the
same data.

The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your
FastCGI applications can make outbound SMTP connections (e.g. moin sending
notifications). By default it is off, but can be enabled as follows:

    setsebool -P httpd_fastcgi_can_sendmail 1

Only enable this functionality if you actually need it, since it increases the
chances that any vulnerability in any of your FastCGI applications could be
exploited by a spammer.

If you have any questions or issues regarding FastCGI and SELinux, please don't
hesitate to bring them up on fedora-selinux-list.
Forgot a couple of doc updates... 2007-06-15 17:09:39 +00:00			`Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards`
			`==============================================================`
Include the right README* files (pesky common filenames...) 2006-09-06 13:47:08 +00:00
Forgot a couple of doc updates... 2007-06-15 17:09:39 +00:00			`Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5`
			`or later include an SELinux policy module to support FastCGI applications.`
			`This has only been tested so far with moin, so feedback from other applications`
			`is welcome. The intention is for this module to be included in the SELinux`
			`reference policy eventually.`
Include the right README* files (pesky common filenames...) 2006-09-06 13:47:08 +00:00
			`The module source (fastcgi.{fc,te}) is included for reference as documentation`
			`in the package.`

			`The module introduces a new set of SELinux types for FastCGI applications,`
			`comparable with the types described in "man httpd_selinux" for regular CGI`
			`scripts (or "system scripts" as they are known in SELinux):`

			`* httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)`
			`- Set files with httpd_fastcgi_content_t for content that is available`
			`from all FastCGI scripts and the daemon.`

			`* httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)`
			`- Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run`
			`with access to all fastcgi types.`

			`* httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)`
			`- Set files with httpd_fastcgi_script_ro_t if you want`
			`httpd_fastcgi_script_exec_t scripts to read the data, and disallow other`
			`non-fastcgi scripts from access.`

			`* httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)`
			`- Set files with httpd_fastcgi_script_rw_t if you want`
			`httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow`
			`other non-fastcgi scripts from access.`

			`* httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)`
			`- Set files with httpd_fastcgi_script_ra_t if you want`
			`httpd_fastcgi_script_exec_t scripts to read/append to the file, and`
			`disallow other non-fastcgi scripts from access.`

Forgot a couple of doc updates... 2007-06-15 17:09:39 +00:00			`So for the moin wiki layout described in README.RPM of the main mod_fcgid`
Include the right README* files (pesky common filenames...) 2006-09-06 13:47:08 +00:00			`package, the contexts would be set as follows:`

			`cd /var/www/mywiki`
			`chcon -t httpd_fastcgi_content_t .`
			`chcon -R -t httpd_fastcgi_script_exec_t cgi-bin`
			`chcon -R -t httpd_fastcgi_script_rw_t data underlay`

			`It is necessary to turn on the httpd_enable_cgi boolean to run either regular`
			`or FastCGI scripts:`

			`setsebool -P httpd_enable_cgi 1`

			`If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access`
			`each other's data. This means that you only need to set the actual FastCGI`
			`scripts themselves to httpd_fastcgi_script_exec_t and can leave the file`
			`contexts for everything else set to the "sys" types if you prefer. This is`
			`useful if you have a mixture of CGI and FastCGI applications accessing the`
			`same data.`

Forgot a couple of doc updates... 2007-06-15 17:09:39 +00:00			`The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your`
			`FastCGI applications can make outbound SMTP connections (e.g. moin sending`
			`notifications). By default it is off, but can be enabled as follows:`

			`setsebool -P httpd_fastcgi_can_sendmail 1`

			`Only enable this functionality if you actually need it, since it increases the`
			`chances that any vulnerability in any of your FastCGI applications could be`
			`exploited by a spammer.`

Include the right README* files (pesky common filenames...) 2006-09-06 13:47:08 +00:00			`If you have any questions or issues regarding FastCGI and SELinux, please don't`
			`hesitate to bring them up on fedora-selinux-list.`
auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00