rpms/mod_fcgid
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Spec clean-up

Browse Source 
- Drop SELinux policy module: all supported targets have it in base policy now
- Update README.SELinux to current types and ship it
- Use forward-looking conditionals
- One build requirement per line
- Drop legacy Group: tag
This commit is contained in:
Paul Howarth 2018-01-26 19:59:25 +00:00
parent f53669c26f
commit 03b907b249
5 changed files with 58 additions and 302 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
fastcgi-2.5.te
View File

@ -1,63 +0,0 @@
# This policy module provides support for mod_fcgid using the httpd system script domain.
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
# as updates for selinux-policy in Fedora 8, 9, and 10.
#
# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy
#
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
# which is now an alias for httpd_sys_script_t.
policy_module(fastcgi, 0.2.6)
require {
type devpts_t;
type httpd_t;
type httpd_log_t;
type httpd_sys_content_t;
type httpd_sys_content_ra_t;
type httpd_sys_content_ro_t;
type httpd_sys_content_rw_t;
type httpd_sys_script_exec_t;
type httpd_sys_script_ra_t;
type httpd_sys_script_ro_t;
type httpd_sys_script_rw_t;
type httpd_sys_script_t;
type httpd_tmp_t;
type httpd_var_run_t;
};
# Type aliases for contexts used with older policy modules
typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;
typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;
typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
# ==========================================================
# Re-use httpd_sys_script_t for mod_fcgid apps
# ==========================================================
# Allow web applications to call getpw* functions
auth_use_nsswitch(httpd_sys_script_t)
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
# Rules to do this are already in selinux-policy apart from dir setattr
setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
# These are probably leaked file descriptors
dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
# PHP uploads a file to /tmp and then execs programs to action them
# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })

1
fastcgi.fc
View File

@ -1 +0,0 @@
/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)

71
fastcgi.te
View File

@ -1,71 +0,0 @@
# This policy module provides support for mod_fcgid using the httpd system script domain.
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
# as updates for selinux-policy in Fedora 8, 9, and 10.
#
# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy
#
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
# which is now an alias for httpd_sys_script_t.
policy_module(fastcgi, 0.1.11)
require {
type devpts_t;
type httpd_t;
type httpd_log_t;
type httpd_sys_content_t;
type httpd_sys_script_exec_t;
type httpd_sys_script_ra_t;
type httpd_sys_script_ro_t;
type httpd_sys_script_rw_t;
type httpd_sys_script_t;
type httpd_tmp_t;
type httpd_var_run_t;
};
# Type aliases for contexts used with older policy modules
typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
# ==========================================================
# Re-use httpd_sys_script_t for mod_fcgid apps
# ==========================================================
# Allow web applications to call getpw* functions
auth_use_nsswitch(httpd_sys_script_t)
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
# Rules to do this are already in selinux-policy apart from dir setattr
allow httpd_t httpd_var_run_t:dir setattr;
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
# These are probably leaked file descriptors
dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
# Search automount filesystem to use automatically mounted filesystems
fs_search_auto_mountpoints(httpd_sys_script_t)
# PHP uploads a file to /tmp and then execs programs to action them
allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms;
allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
# Support network home directories
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
')

32
mod_fcgid-2.1-README.SELinux
View File

@ -1,47 +1,29 @@
Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
============================================================== ==============================================================
Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
policy module to support FastCGI applications. Later Fedora releases and Red
Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
package and do not require the separate module.
The module source (fastcgi.{fc,te}) is included for reference as documentation
in the package.
The module uses the same set of SELinux types for FastCGI applications as for The module uses the same set of SELinux types for FastCGI applications as for
regular CGI scripts (or "system scripts" as they are known in SELinux), as regular CGI scripts (or "system scripts" as they are known in SELinux), as
described in "man httpd_selinux". described in "man httpd_selinux".
* httpd_sys_content_t * httpd_sys_content_t
- Set files with httpd_sys_content_t for content that is available - Set files with httpd_sys_content_t for content that is available to read
from all FastCGI scripts and the daemon. from all FastCGI scripts and the daemon.
* httpd_sys_rw_content_t
- Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t
scripts to read/write the data, and disallow other processes from access.
* httpd_sys_script_exec_t * httpd_sys_script_exec_t
- Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
with access to all system script types. with access to all system script types.
* httpd_sys_script_ro_t
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
scripts to read but not write the data, and disallow other processes from
access.
* httpd_sys_script_rw_t
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
scripts to read/write the data, and disallow other processes from access.
* httpd_sys_script_ra_t
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
scripts to read/append to the file, and disallow other processes from
access.
So for the moin wiki layout described in README.RPM of the main mod_fcgid So for the moin wiki layout described in README.RPM of the main mod_fcgid
package, the contexts would be set as follows: package, the contexts would be set as follows:
cd /var/www/mywiki cd /var/www/mywiki
chcon -t httpd_sys_content_t . chcon -t httpd_sys_content_t .
chcon -R -t httpd_sys_script_exec_t cgi-bin chcon -R -t httpd_sys_script_exec_t cgi-bin
chcon -R -t httpd_sys_script_rw_t data underlay chcon -R -t httpd_sys_rw_content_t data underlay
It is necessary to turn on the httpd_enable_cgi boolean to run either regular It is necessary to turn on the httpd_enable_cgi boolean to run either regular
or FastCGI scripts: or FastCGI scripts:
@ -59,5 +41,5 @@ chances that any vulnerability in any of your web applications could be
exploited by a spammer. exploited by a spammer.
If you have any questions or issues regarding FastCGI and SELinux, please don't If you have any questions or issues regarding FastCGI and SELinux, please don't
hesitate to bring them up on fedora-selinux-list. hesitate to bring them up on Fedora's selinux-list.

193
mod_fcgid.spec
View File

@ -1,42 +1,42 @@
# Fedora 5, 6, and 7 versions includes SELinux policy module package # Compatible macros for those introduced in Fedora 18, RHEL 7
# Fedora 8 and 9 versions include policy in errata selinux-policy releases %if (0%{?rhel} && 0%{?rhel} <= 6) || (0%{?fedora} && 0%{?fedora} <= 17)
# Fedora 10 onwards include policy in standard selinux-policy releases # apxs script location
# RHEL 5.5 onwards include policy in standard selinux-policy releases %global _httpd_apxs %{_sbindir}/apxs
%if 0%{?fedora} < 5 || 0%{?fedora} > 7 || 0%{?rhel} # Module Magic Number
%global selinux_module 0 %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)
%global selinux_types %{nil} # Configuration directory
%global selinux_variants %{nil} %global _httpd_confdir %{_sysconfdir}/httpd/conf.d
%global selinux_buildreqs %{nil} # systemd tmpfiles directory
%else %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d
%global selinux_module 1
%global selinux_types %(awk '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null)
%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types})
%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
%endif %endif
# apxs script location
%{!?_httpd_apxs: %global _httpd_apxs %{_sbindir}/apxs}
# Module Magic Number
%{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}
# Configuration directory
%{!?_httpd_confdir: %global _httpd_confdir %{_sysconfdir}/httpd/conf.d}
# For httpd ≥ 2.4 we have a different filesystem layout # For httpd ≥ 2.4 we have a different filesystem layout
%if 0%{?fedora} > 17 || 0%{?rhel} > 6 %if (0%{?rhel} && 0%{?rhel} <= 6) || (0%{?fedora} && 0%{?fedora} <= 17)
%global httpd24 1
%global rundir /run
%else
%global httpd24 0 %global httpd24 0
%global rundir %{_localstatedir}/run %global rundir %{_localstatedir}/run
%else
%global httpd24 1
%global rundir /run
%endif
# rundir on tmpfs from Fedora 15, RHEL 7
%if (0%{?rhel} && 0%{?rhel} <= 6) || (0%{?fedora} && 0%{?fedora} <= 14)
%global rundir_tmpfs 0
%else
%global rundir_tmpfs 1
%endif
# systemd-units merged into systemd at Fedora 17
%if (0%{?fedora} && 0%{?fedora} <= 16)
%global systemd_units systemd-units
%else
%global systemd_units systemd
%endif %endif
Name: mod_fcgid Name: mod_fcgid
Version: 2.3.9 Version: 2.3.9
Release: 10%{?dist} Release: 11%{?dist}
Summary: FastCGI interface module for Apache 2 Summary: FastCGI interface module for Apache 2
Group: System Environment/Daemons
License: ASL 2.0 License: ASL 2.0
URL: http://httpd.apache.org/mod_fcgid/ URL: http://httpd.apache.org/mod_fcgid/
Source0: http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2 Source0: http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2
@ -45,32 +45,16 @@ Source2: mod_fcgid-2.1-README.RPM
Source3: mod_fcgid-2.1-README.SELinux Source3: mod_fcgid-2.1-README.SELinux
Source4: mod_fcgid-tmpfs.conf Source4: mod_fcgid-tmpfs.conf
Source5: fcgid24.conf Source5: fcgid24.conf
Source10: fastcgi.te
Source11: fastcgi-2.5.te
Source12: fastcgi.fc
Patch0: mod_fcgid-2.3.4-fixconf-shellbang.patch Patch0: mod_fcgid-2.3.4-fixconf-shellbang.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: coreutils
BuildRequires: httpd-devel >= 2.0, pkgconfig BuildRequires: httpd-devel >= 2.0
BuildRequires: make
BuildRequires: pkgconfig
BuildRequires: sed
Requires: httpd-mmn = %{_httpd_mmn} Requires: httpd-mmn = %{_httpd_mmn}
# systemd-units needed for ownership of /usr/lib/tmpfiles.d directory # %%systemd_units needed for ownership of %%{_tmpfilesdir}
%if 0%{?fedora} > 14 || 0%{?rhel} > 6 %if %{rundir_tmpfs}
Requires: systemd-units Requires: %{systemd_units}
%endif
# Make sure that selinux-policy is sufficiently up-to-date if it's installed
# FastCGI policy properly incorporated into EL 5.5
%if "%{?rhel}" == "5"
Conflicts: selinux-policy < 2.4.6-279.el5
# No provide here because selinux-policy >= 2.4.6-279.el5 does the providing
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
%endif
%if "%{?fedora}" == "8"
Conflicts: selinux-policy < 3.0.8-123.fc8
%endif
%if "%{?fedora}" == "9"
Conflicts: selinux-policy < 3.3.1-107.fc9
%endif
%if "%{?fedora}" == "10"
Conflicts: selinux-policy < 3.5.13-8.fc10
%endif %endif
%description %description
@ -79,60 +63,23 @@ mod_fcgid has a new process management strategy, which concentrates on reducing
the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon
as possible. as possible.
%if %{selinux_module}
%package selinux
Summary: SELinux policy module supporting FastCGI applications with mod_fcgid
Group: System Environment/Base
BuildRequires: %{selinux_buildreqs}
# selinux-policy is required for directory ownership of %%{_datadir}/selinux/*
#
# version requirement is a hack to avoid problems mixing new modules with older policy,
# e.g. http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00102.html
# _selinux_policy_version introduced in F-20 (#999584), but can be emulated by
# pulling the policy version number from the policyhelp file on older distributions
%{!?_selinux_policy_version: %global _selinux_policy_version %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp 2>/dev/null || echo 0.0.0)}
%global selinux_policynum %(echo %{_selinux_policy_version} | awk -F. '{ printf "%d%02d%02d", $1, $2, $3 }')
Requires: selinux-policy >= %{_selinux_policy_version}
Requires: %{name} = %{version}-%{release}
Requires(post): /usr/sbin/semodule, /sbin/restorecon
Requires(postun): /usr/sbin/semodule, /sbin/restorecon
%description selinux
SELinux policy module supporting FastCGI applications with mod_fcgid.
%endif
%prep %prep
%setup -q %setup -q
cp -p %{SOURCE1} fcgid.conf cp -p %{SOURCE1} fcgid.conf
cp -p %{SOURCE2} README.RPM cp -p %{SOURCE2} README.RPM
cp -p %{SOURCE3} README.SELinux cp -p %{SOURCE3} README.SELinux
cp -p %{SOURCE5} fcgid24.conf cp -p %{SOURCE5} fcgid24.conf
%if 0%{?selinux_policynum} < 20501
cp -p %{SOURCE10} fastcgi.te
%else
cp -p %{SOURCE11} fastcgi.te
%endif
cp -p %{SOURCE12} fastcgi.fc
# Fix shellbang in fixconf script for our location of sed # Fix shellbang in fixconf script for our location of sed
%if 0%{?fedora} < 24 && 0%{?rhel} < 8 %if (0%{?rhel} && 0%{?rhel} <= 7) || (0%{?fedora} && 0%{?fedora} <= 23)
%patch0 -p1 %patch0 -p1
%endif %endif
%build %build
APXS=%{_httpd_apxs} ./configure.apxs APXS=%{_httpd_apxs} ./configure.apxs
make make
%if %{selinux_module}
for selinuxvariant in %{selinux_variants}
do
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
mv fastcgi.pp fastcgi.pp.${selinuxvariant}
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
done
%endif
%install %install
rm -rf %{buildroot}
make DESTDIR=%{buildroot} MKINSTALLDIRS="mkdir -p" install make DESTDIR=%{buildroot} MKINSTALLDIRS="mkdir -p" install
%if %{httpd24} %if %{httpd24}
mkdir -p %{buildroot}{%{_httpd_confdir},%{_httpd_modconfdir}} mkdir -p %{buildroot}{%{_httpd_confdir},%{_httpd_modconfdir}}
@ -152,49 +99,9 @@ rm -rf %{buildroot}%{_var}/www/manual
# Make sure %%{rundir}/mod_fcgid exists at boot time for systems # Make sure %%{rundir}/mod_fcgid exists at boot time for systems
# with %%{rundir} on tmpfs (#656625) # with %%{rundir} on tmpfs (#656625)
%if 0%{?fedora} > 14 || 0%{?rhel} > 6 %if %{rundir_tmpfs}
install -d -m 755 %{buildroot}%{_prefix}/lib/tmpfiles.d install -d -m 755 %{buildroot}%{_tmpfilesdir}
install -p -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/tmpfiles.d/mod_fcgid.conf install -p -m 644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/mod_fcgid.conf
%endif
# Install SELinux policy modules
%if %{selinux_module}
for selinuxvariant in %{selinux_variants}
do
install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
install -p -m 644 fastcgi.pp.${selinuxvariant} \
%{buildroot}%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp
done
# Hardlink identical policy module packages together
hardlink -cv %{buildroot}%{_datadir}/selinux
%endif
%clean
rm -rf %{buildroot}
%if %{selinux_module}
%post selinux
# Install SELinux policy modules
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s ${selinuxvariant} -i \
%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || :
done
# Fix up non-standard directory context from earlier packages
/sbin/restorecon -R %{rundir}/mod_fcgid || :
%postun selinux
# Clean up after package removal
if [ $1 -eq 0 ]; then
# Remove SELinux policy modules
for selinuxvariant in %{selinux_variants}; do
/usr/sbin/semodule -s ${selinuxvariant} -r fastcgi &> /dev/null || :
done
# Clean up any remaining file contexts (shouldn't be any really)
[ -d %{rundir}/mod_fcgid ] && \
/sbin/restorecon -R %{rundir}/mod_fcgid &> /dev/null || :
fi
exit 0
%endif %endif
%files %files
@ -203,6 +110,7 @@ exit 0
%else %else
%doc LICENSE-FCGID %doc LICENSE-FCGID
%endif %endif
%doc README.RPM README.SELinux
# mod_fcgid.html.en is explicitly encoded as ISO-8859-1 # mod_fcgid.html.en is explicitly encoded as ISO-8859-1
%doc CHANGES-FCGID NOTICE-FCGID README-FCGID STATUS-FCGID %doc CHANGES-FCGID NOTICE-FCGID README-FCGID STATUS-FCGID
%doc docs/manual/mod/mod_fcgid.html.en modules/fcgid/ChangeLog %doc docs/manual/mod/mod_fcgid.html.en modules/fcgid/ChangeLog
@ -212,18 +120,19 @@ exit 0
%config(noreplace) %{_httpd_modconfdir}/10-fcgid.conf %config(noreplace) %{_httpd_modconfdir}/10-fcgid.conf
%endif %endif
%config(noreplace) %{_httpd_confdir}/fcgid.conf %config(noreplace) %{_httpd_confdir}/fcgid.conf
%if 0%{?fedora} > 14 || 0%{?rhel} > 6 %if %{rundir_tmpfs}
%{_prefix}/lib/tmpfiles.d/mod_fcgid.conf %{_tmpfilesdir}/mod_fcgid.conf
%endif %endif
%dir %attr(0755,apache,apache) %{rundir}/mod_fcgid/ %dir %attr(0755,apache,apache) %{rundir}/mod_fcgid/
%if %{selinux_module}
%files selinux
%doc fastcgi.fc fastcgi.te README.SELinux
%{_datadir}/selinux/*/fastcgi.pp
%endif
%changelog %changelog
* Fri Jan 26 2018 Paul Howarth <paul@city-fan.org> - 2.3.9-11
- Drop SELinux policy module: all supported targets have it in base policy now
- Update README.SELinux to current types and ship it
- Use forward-looking conditionals
- One build requirement per line
- Drop legacy Group: tag
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.9-10 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.9-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild