From 03b907b2493bf91677cb7b17d5a325a5772af667 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 26 Jan 2018 19:59:25 +0000 Subject: [PATCH] Spec clean-up - Drop SELinux policy module: all supported targets have it in base policy now - Update README.SELinux to current types and ship it - Use forward-looking conditionals - One build requirement per line - Drop legacy Group: tag --- fastcgi-2.5.te | 63 ------------ fastcgi.fc | 1 - fastcgi.te | 71 ------------- mod_fcgid-2.1-README.SELinux | 32 ++---- mod_fcgid.spec | 193 +++++++++-------------------------- 5 files changed, 58 insertions(+), 302 deletions(-) delete mode 100644 fastcgi-2.5.te delete mode 100644 fastcgi.fc delete mode 100644 fastcgi.te diff --git a/fastcgi-2.5.te b/fastcgi-2.5.te deleted file mode 100644 index c691308..0000000 --- a/fastcgi-2.5.te +++ /dev/null @@ -1,63 +0,0 @@ -# This policy module provides support for mod_fcgid using the httpd system script domain. -# It provides "allow" rules that will overlap to varying degrees with selinux-policy -# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included -# as updates for selinux-policy in Fedora 8, 9, and 10. -# -# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy -# -# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, -# which is now an alias for httpd_sys_script_t. - -policy_module(fastcgi, 0.2.6) - -require { - type devpts_t; - type httpd_t; - type httpd_log_t; - type httpd_sys_content_t; - type httpd_sys_content_ra_t; - type httpd_sys_content_ro_t; - type httpd_sys_content_rw_t; - type httpd_sys_script_exec_t; - type httpd_sys_script_ra_t; - type httpd_sys_script_ro_t; - type httpd_sys_script_rw_t; - type httpd_sys_script_t; - type httpd_tmp_t; - type httpd_var_run_t; -}; - -# Type aliases for contexts used with older policy modules -typealias httpd_sys_content_t alias httpd_fastcgi_content_t; -typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t; -typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t; -typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; -typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; -typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; -typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; -typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; -typealias httpd_sys_script_t alias httpd_fastcgi_script_t; -typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; - -# ========================================================== -# Re-use httpd_sys_script_t for mod_fcgid apps -# ========================================================== - -# Allow web applications to call getpw* functions -auth_use_nsswitch(httpd_sys_script_t) - -# Allow httpd to create and use files and sockets for communicating with mod_fcgid -# Rules to do this are already in selinux-policy apart from dir setattr -setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) - -# Allow FastCGI applications to listen for FastCGI requests on their -# sockets and respond to them -allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; - -# These are probably leaked file descriptors -dontaudit httpd_t devpts_t:chr_file ioctl; -dontaudit httpd_sys_script_t httpd_log_t:file ioctl; - -# PHP uploads a file to /tmp and then execs programs to action them -# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans -files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) diff --git a/fastcgi.fc b/fastcgi.fc deleted file mode 100644 index 2006d97..0000000 --- a/fastcgi.fc +++ /dev/null @@ -1 +0,0 @@ -/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/fastcgi.te b/fastcgi.te deleted file mode 100644 index 373d920..0000000 --- a/fastcgi.te +++ /dev/null @@ -1,71 +0,0 @@ -# This policy module provides support for mod_fcgid using the httpd system script domain. -# It provides "allow" rules that will overlap to varying degrees with selinux-policy -# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included -# as updates for selinux-policy in Fedora 8, 9, and 10. -# -# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy -# -# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, -# which is now an alias for httpd_sys_script_t. - -policy_module(fastcgi, 0.1.11) - -require { - type devpts_t; - type httpd_t; - type httpd_log_t; - type httpd_sys_content_t; - type httpd_sys_script_exec_t; - type httpd_sys_script_ra_t; - type httpd_sys_script_ro_t; - type httpd_sys_script_rw_t; - type httpd_sys_script_t; - type httpd_tmp_t; - type httpd_var_run_t; -}; - -# Type aliases for contexts used with older policy modules -typealias httpd_sys_content_t alias httpd_fastcgi_content_t; -typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; -typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; -typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; -typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; -typealias httpd_sys_script_t alias httpd_fastcgi_script_t; -typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; - -# ========================================================== -# Re-use httpd_sys_script_t for mod_fcgid apps -# ========================================================== - -# Allow web applications to call getpw* functions -auth_use_nsswitch(httpd_sys_script_t) - -# Allow httpd to create and use files and sockets for communicating with mod_fcgid -# Rules to do this are already in selinux-policy apart from dir setattr -allow httpd_t httpd_var_run_t:dir setattr; - -# Allow FastCGI applications to listen for FastCGI requests on their -# sockets and respond to them -allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; - -# These are probably leaked file descriptors -dontaudit httpd_t devpts_t:chr_file ioctl; -dontaudit httpd_sys_script_t httpd_log_t:file ioctl; - -# Search automount filesystem to use automatically mounted filesystems -fs_search_auto_mountpoints(httpd_sys_script_t) - -# PHP uploads a file to /tmp and then execs programs to action them -allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms; -allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms; -files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) - -# Support network home directories -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_sys_script_t) - fs_read_nfs_symlinks(httpd_sys_script_t) -') -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_sys_script_t) - fs_read_cifs_symlinks(httpd_sys_script_t) -') diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux index 981cf59..bfcbadc 100644 --- a/mod_fcgid-2.1-README.SELinux +++ b/mod_fcgid-2.1-README.SELinux @@ -1,47 +1,29 @@ Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards ============================================================== -Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux -policy module to support FastCGI applications. Later Fedora releases and Red -Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy -package and do not require the separate module. - -The module source (fastcgi.{fc,te}) is included for reference as documentation -in the package. - The module uses the same set of SELinux types for FastCGI applications as for regular CGI scripts (or "system scripts" as they are known in SELinux), as described in "man httpd_selinux". * httpd_sys_content_t - - Set files with httpd_sys_content_t for content that is available + - Set files with httpd_sys_content_t for content that is available to read from all FastCGI scripts and the daemon. + * httpd_sys_rw_content_t + - Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t + scripts to read/write the data, and disallow other processes from access. + * httpd_sys_script_exec_t - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run with access to all system script types. - * httpd_sys_script_ro_t - - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t - scripts to read but not write the data, and disallow other processes from - access. - - * httpd_sys_script_rw_t - - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t - scripts to read/write the data, and disallow other processes from access. - - * httpd_sys_script_ra_t - - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t - scripts to read/append to the file, and disallow other processes from - access. - So for the moin wiki layout described in README.RPM of the main mod_fcgid package, the contexts would be set as follows: cd /var/www/mywiki chcon -t httpd_sys_content_t . chcon -R -t httpd_sys_script_exec_t cgi-bin - chcon -R -t httpd_sys_script_rw_t data underlay + chcon -R -t httpd_sys_rw_content_t data underlay It is necessary to turn on the httpd_enable_cgi boolean to run either regular or FastCGI scripts: @@ -59,5 +41,5 @@ chances that any vulnerability in any of your web applications could be exploited by a spammer. If you have any questions or issues regarding FastCGI and SELinux, please don't -hesitate to bring them up on fedora-selinux-list. +hesitate to bring them up on Fedora's selinux-list. diff --git a/mod_fcgid.spec b/mod_fcgid.spec index 0ec3d02..053808a 100644 --- a/mod_fcgid.spec +++ b/mod_fcgid.spec @@ -1,42 +1,42 @@ -# Fedora 5, 6, and 7 versions includes SELinux policy module package -# Fedora 8 and 9 versions include policy in errata selinux-policy releases -# Fedora 10 onwards include policy in standard selinux-policy releases -# RHEL 5.5 onwards include policy in standard selinux-policy releases -%if 0%{?fedora} < 5 || 0%{?fedora} > 7 || 0%{?rhel} -%global selinux_module 0 -%global selinux_types %{nil} -%global selinux_variants %{nil} -%global selinux_buildreqs %{nil} -%else -%global selinux_module 1 -%global selinux_types %(awk '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null) -%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types}) -%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink +# Compatible macros for those introduced in Fedora 18, RHEL 7 +%if (0%{?rhel} && 0%{?rhel} <= 6) || (0%{?fedora} && 0%{?fedora} <= 17) +# apxs script location +%global _httpd_apxs %{_sbindir}/apxs +# Module Magic Number +%global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0) +# Configuration directory +%global _httpd_confdir %{_sysconfdir}/httpd/conf.d +# systemd tmpfiles directory +%global _tmpfilesdir %{_prefix}/lib/tmpfiles.d %endif -# apxs script location -%{!?_httpd_apxs: %global _httpd_apxs %{_sbindir}/apxs} - -# Module Magic Number -%{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)} - -# Configuration directory -%{!?_httpd_confdir: %global _httpd_confdir %{_sysconfdir}/httpd/conf.d} - # For httpd ≥ 2.4 we have a different filesystem layout -%if 0%{?fedora} > 17 || 0%{?rhel} > 6 -%global httpd24 1 -%global rundir /run -%else +%if (0%{?rhel} && 0%{?rhel} <= 6) || (0%{?fedora} && 0%{?fedora} <= 17) %global httpd24 0 %global rundir %{_localstatedir}/run +%else +%global httpd24 1 +%global rundir /run +%endif + +# rundir on tmpfs from Fedora 15, RHEL 7 +%if (0%{?rhel} && 0%{?rhel} <= 6) || (0%{?fedora} && 0%{?fedora} <= 14) +%global rundir_tmpfs 0 +%else +%global rundir_tmpfs 1 +%endif + +# systemd-units merged into systemd at Fedora 17 +%if (0%{?fedora} && 0%{?fedora} <= 16) +%global systemd_units systemd-units +%else +%global systemd_units systemd %endif Name: mod_fcgid Version: 2.3.9 -Release: 10%{?dist} +Release: 11%{?dist} Summary: FastCGI interface module for Apache 2 -Group: System Environment/Daemons License: ASL 2.0 URL: http://httpd.apache.org/mod_fcgid/ Source0: http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2 @@ -45,32 +45,16 @@ Source2: mod_fcgid-2.1-README.RPM Source3: mod_fcgid-2.1-README.SELinux Source4: mod_fcgid-tmpfs.conf Source5: fcgid24.conf -Source10: fastcgi.te -Source11: fastcgi-2.5.te -Source12: fastcgi.fc Patch0: mod_fcgid-2.3.4-fixconf-shellbang.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) -BuildRequires: httpd-devel >= 2.0, pkgconfig +BuildRequires: coreutils +BuildRequires: httpd-devel >= 2.0 +BuildRequires: make +BuildRequires: pkgconfig +BuildRequires: sed Requires: httpd-mmn = %{_httpd_mmn} -# systemd-units needed for ownership of /usr/lib/tmpfiles.d directory -%if 0%{?fedora} > 14 || 0%{?rhel} > 6 -Requires: systemd-units -%endif -# Make sure that selinux-policy is sufficiently up-to-date if it's installed -# FastCGI policy properly incorporated into EL 5.5 -%if "%{?rhel}" == "5" -Conflicts: selinux-policy < 2.4.6-279.el5 -# No provide here because selinux-policy >= 2.4.6-279.el5 does the providing -Obsoletes: mod_fcgid-selinux <= %{version}-%{release} -%endif -%if "%{?fedora}" == "8" -Conflicts: selinux-policy < 3.0.8-123.fc8 -%endif -%if "%{?fedora}" == "9" -Conflicts: selinux-policy < 3.3.1-107.fc9 -%endif -%if "%{?fedora}" == "10" -Conflicts: selinux-policy < 3.5.13-8.fc10 +# %%systemd_units needed for ownership of %%{_tmpfilesdir} +%if %{rundir_tmpfs} +Requires: %{systemd_units} %endif %description @@ -79,60 +63,23 @@ mod_fcgid has a new process management strategy, which concentrates on reducing the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon as possible. -%if %{selinux_module} -%package selinux -Summary: SELinux policy module supporting FastCGI applications with mod_fcgid -Group: System Environment/Base -BuildRequires: %{selinux_buildreqs} -# selinux-policy is required for directory ownership of %%{_datadir}/selinux/* -# -# version requirement is a hack to avoid problems mixing new modules with older policy, -# e.g. http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00102.html -# _selinux_policy_version introduced in F-20 (#999584), but can be emulated by -# pulling the policy version number from the policyhelp file on older distributions -%{!?_selinux_policy_version: %global _selinux_policy_version %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp 2>/dev/null || echo 0.0.0)} -%global selinux_policynum %(echo %{_selinux_policy_version} | awk -F. '{ printf "%d%02d%02d", $1, $2, $3 }') -Requires: selinux-policy >= %{_selinux_policy_version} -Requires: %{name} = %{version}-%{release} -Requires(post): /usr/sbin/semodule, /sbin/restorecon -Requires(postun): /usr/sbin/semodule, /sbin/restorecon - -%description selinux -SELinux policy module supporting FastCGI applications with mod_fcgid. -%endif - %prep %setup -q cp -p %{SOURCE1} fcgid.conf cp -p %{SOURCE2} README.RPM cp -p %{SOURCE3} README.SELinux cp -p %{SOURCE5} fcgid24.conf -%if 0%{?selinux_policynum} < 20501 -cp -p %{SOURCE10} fastcgi.te -%else -cp -p %{SOURCE11} fastcgi.te -%endif -cp -p %{SOURCE12} fastcgi.fc # Fix shellbang in fixconf script for our location of sed -%if 0%{?fedora} < 24 && 0%{?rhel} < 8 +%if (0%{?rhel} && 0%{?rhel} <= 7) || (0%{?fedora} && 0%{?fedora} <= 23) %patch0 -p1 %endif %build APXS=%{_httpd_apxs} ./configure.apxs make -%if %{selinux_module} -for selinuxvariant in %{selinux_variants} -do - make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile - mv fastcgi.pp fastcgi.pp.${selinuxvariant} - make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean -done -%endif %install -rm -rf %{buildroot} make DESTDIR=%{buildroot} MKINSTALLDIRS="mkdir -p" install %if %{httpd24} mkdir -p %{buildroot}{%{_httpd_confdir},%{_httpd_modconfdir}} @@ -152,49 +99,9 @@ rm -rf %{buildroot}%{_var}/www/manual # Make sure %%{rundir}/mod_fcgid exists at boot time for systems # with %%{rundir} on tmpfs (#656625) -%if 0%{?fedora} > 14 || 0%{?rhel} > 6 -install -d -m 755 %{buildroot}%{_prefix}/lib/tmpfiles.d -install -p -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/tmpfiles.d/mod_fcgid.conf -%endif - -# Install SELinux policy modules -%if %{selinux_module} -for selinuxvariant in %{selinux_variants} -do - install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant} - install -p -m 644 fastcgi.pp.${selinuxvariant} \ - %{buildroot}%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp -done -# Hardlink identical policy module packages together -hardlink -cv %{buildroot}%{_datadir}/selinux -%endif - -%clean -rm -rf %{buildroot} - -%if %{selinux_module} -%post selinux -# Install SELinux policy modules -for selinuxvariant in %{selinux_variants} -do - /usr/sbin/semodule -s ${selinuxvariant} -i \ - %{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || : -done -# Fix up non-standard directory context from earlier packages -/sbin/restorecon -R %{rundir}/mod_fcgid || : - -%postun selinux -# Clean up after package removal -if [ $1 -eq 0 ]; then - # Remove SELinux policy modules - for selinuxvariant in %{selinux_variants}; do - /usr/sbin/semodule -s ${selinuxvariant} -r fastcgi &> /dev/null || : - done - # Clean up any remaining file contexts (shouldn't be any really) - [ -d %{rundir}/mod_fcgid ] && \ - /sbin/restorecon -R %{rundir}/mod_fcgid &> /dev/null || : -fi -exit 0 +%if %{rundir_tmpfs} +install -d -m 755 %{buildroot}%{_tmpfilesdir} +install -p -m 644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/mod_fcgid.conf %endif %files @@ -203,6 +110,7 @@ exit 0 %else %doc LICENSE-FCGID %endif +%doc README.RPM README.SELinux # mod_fcgid.html.en is explicitly encoded as ISO-8859-1 %doc CHANGES-FCGID NOTICE-FCGID README-FCGID STATUS-FCGID %doc docs/manual/mod/mod_fcgid.html.en modules/fcgid/ChangeLog @@ -212,18 +120,19 @@ exit 0 %config(noreplace) %{_httpd_modconfdir}/10-fcgid.conf %endif %config(noreplace) %{_httpd_confdir}/fcgid.conf -%if 0%{?fedora} > 14 || 0%{?rhel} > 6 -%{_prefix}/lib/tmpfiles.d/mod_fcgid.conf +%if %{rundir_tmpfs} +%{_tmpfilesdir}/mod_fcgid.conf %endif %dir %attr(0755,apache,apache) %{rundir}/mod_fcgid/ -%if %{selinux_module} -%files selinux -%doc fastcgi.fc fastcgi.te README.SELinux -%{_datadir}/selinux/*/fastcgi.pp -%endif - %changelog +* Fri Jan 26 2018 Paul Howarth - 2.3.9-11 +- Drop SELinux policy module: all supported targets have it in base policy now +- Update README.SELinux to current types and ship it +- Use forward-looking conditionals +- One build requirement per line +- Drop legacy Group: tag + * Thu Aug 03 2017 Fedora Release Engineering - 2.3.9-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild