mod_fcgid/README.SELinux

CONFIGURING SELINUX FOR CONTAGGED
=================================

The contagged RPM package for Fedora Core 5 and later includes a policy module
that ensures that all files required by the application get the correct
SELinux file contexts.

However, there are a few SELinux booleans you need to set in order to use
contagged:

# setsebool -P httpd_builtin_scripting 1
# setsebool -P httpd_enable_cgi 1
# setsebool -P httpd_unified 1

It is necessary to set these booleans because contagged is a PHP application.
It is not necessary to set the httpd_can_network_connect boolean because the
web server is allowed to connect to LDAP servers by default.

If you are using an older distribution that does not support SELinux policy
modules, you will need to set the file contexts manually:

# chcon -R -t httpd_cache_t /var/cache/contagged

You will need to repeat this step if the filesystem is relabelled.

Once the configuration is set up as required, restart httpd:

# service httpd restart

ABOUT THE PACKAGE
=================

One of the reasons for building this package was to provide an example of how
to include a custom SELinux policy module with an RPM package. It's unfortunate
that the kludge of having to use restorecon in the post-install script is
required but updates to rpm will be necessary before that can be avoided - see:
http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00098.html

An alternative approach (instead of using a loadable policy module) that some
people have taken, particularly where the only required policy customisation is
for file contexts, is to use semanage to add additional fcontext objects to the
running policy. A significant disadvantage of this approach is that it's harder
to manage future changes to policy, since all later versions of a package must
be able to "undo" the policy fixes (e.g. remove fcontext objects) set up by all
earlier versions of the package if there are changes to policy in later
versions. Using policy modules makes this very easy, since semodule handles the
upgrades very neatly (modules have version numbers).
auto-import mod_fcgid-1.10-6 on branch devel from mod_fcgid-1.10-6.src.rpm 2006-09-06 13:08:59 +00:00			`CONFIGURING SELINUX FOR CONTAGGED`
			`=================================`

			`The contagged RPM package for Fedora Core 5 and later includes a policy module`
			`that ensures that all files required by the application get the correct`
			`SELinux file contexts.`

			`However, there are a few SELinux booleans you need to set in order to use`
			`contagged:`

			`# setsebool -P httpd_builtin_scripting 1`
			`# setsebool -P httpd_enable_cgi 1`
			`# setsebool -P httpd_unified 1`

			`It is necessary to set these booleans because contagged is a PHP application.`
			`It is not necessary to set the httpd_can_network_connect boolean because the`
			`web server is allowed to connect to LDAP servers by default.`

			`If you are using an older distribution that does not support SELinux policy`
			`modules, you will need to set the file contexts manually:`

			`# chcon -R -t httpd_cache_t /var/cache/contagged`

			`You will need to repeat this step if the filesystem is relabelled.`

			`Once the configuration is set up as required, restart httpd:`

			`# service httpd restart`

			`ABOUT THE PACKAGE`
			`=================`

			`One of the reasons for building this package was to provide an example of how`
			`to include a custom SELinux policy module with an RPM package. It's unfortunate`
			`that the kludge of having to use restorecon in the post-install script is`
			`required but updates to rpm will be necessary before that can be avoided - see:`
			`http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00098.html`

			`An alternative approach (instead of using a loadable policy module) that some`
			`people have taken, particularly where the only required policy customisation is`
			`for file contexts, is to use semanage to add additional fcontext objects to the`
			`running policy. A significant disadvantage of this approach is that it's harder`
			`to manage future changes to policy, since all later versions of a package must`
			`be able to "undo" the policy fixes (e.g. remove fcontext objects) set up by all`
			`earlier versions of the package if there are changes to policy in later`
			`versions. Using policy modules makes this very easy, since semodule handles the`
			`upgrades very neatly (modules have version numbers).`