diff --git a/fastcgi.te b/fastcgi.te index e1db9d9..17b8253 100644 --- a/fastcgi.te +++ b/fastcgi.te @@ -1,4 +1,4 @@ -policy_module(fastcgi, 0.1.6) +policy_module(fastcgi, 0.1.7) type httpd_fastcgi_sock_t; files_type(httpd_fastcgi_sock_t) @@ -19,6 +19,18 @@ require { apache_content_template(fastcgi) kernel_read_kernel_sysctls(httpd_fastcgi_script_t) +## +##

+## Allow FastCGI applications to make outbound SMTP connections +##

+## +gen_tunable(httpd_fastcgi_can_sendmail,false) + +tunable_policy(`httpd_fastcgi_can_sendmail',` + corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t) + corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t) +') + # Allow FastCGI applications to do DNS lookups sysnet_dns_name_resolve(httpd_fastcgi_script_t) @@ -55,9 +67,14 @@ dontaudit httpd_t devpts_t:chr_file ioctl; dontaudit httpd_fastcgi_script_t httpd_config_t:dir search; +fs_search_auto_mountpoints(httpd_fastcgi_script_t) + files_search_var_lib(httpd_fastcgi_script_t) files_search_spool(httpd_fastcgi_script_t) +# Should we add a boolean? +apache_domtrans_rotatelogs(httpd_fastcgi_script_t) + ifdef(`distro_redhat',` allow httpd_fastcgi_script_t httpd_log_t:file { getattr append }; ') @@ -68,8 +85,22 @@ ifdef(`targeted_policy',` ') ') +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_fastcgi_script_t) + fs_read_nfs_symlinks(httpd_fastcgi_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_fastcgi_script_t) + fs_read_cifs_symlinks(httpd_fastcgi_script_t) +') + optional_policy(` mysql_stream_connect(httpd_fastcgi_script_t) mysql_rw_db_sockets(httpd_fastcgi_script_t) ') +optional_policy(` + clamav_domtrans_clamscan(httpd_fastcgi_script_t) +') + diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux index 402620c..d2f0c9c 100644 --- a/mod_fcgid-2.1-README.SELinux +++ b/mod_fcgid-2.1-README.SELinux @@ -1,10 +1,11 @@ -Using mod_fcgid with SELinux in Fedora Core 5 onwards -===================================================== +Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards +============================================================== -Versions of this package built for Fedora Core 5 or later include an SELinux -policy module to support FastCGI applications. This has only been tested so far -with moin, so feedback from other applications is welcome. The intention is for -this module to be included in the SELinux reference policy eventually. +Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5 +or later include an SELinux policy module to support FastCGI applications. +This has only been tested so far with moin, so feedback from other applications +is welcome. The intention is for this module to be included in the SELinux +reference policy eventually. The module source (fastcgi.{fc,te}) is included for reference as documentation in the package. @@ -36,7 +37,7 @@ scripts (or "system scripts" as they are known in SELinux): httpd_fastcgi_script_exec_t scripts to read/append to the file, and disallow other non-fastcgi scripts from access. -So for the moin wiki layout described in README.Fedora of the main mod_fcgid +So for the moin wiki layout described in README.RPM of the main mod_fcgid package, the contexts would be set as follows: cd /var/www/mywiki @@ -56,6 +57,16 @@ contexts for everything else set to the "sys" types if you prefer. This is useful if you have a mixture of CGI and FastCGI applications accessing the same data. +The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your +FastCGI applications can make outbound SMTP connections (e.g. moin sending +notifications). By default it is off, but can be enabled as follows: + + setsebool -P httpd_fastcgi_can_sendmail 1 + +Only enable this functionality if you actually need it, since it increases the +chances that any vulnerability in any of your FastCGI applications could be +exploited by a spammer. + If you have any questions or issues regarding FastCGI and SELinux, please don't hesitate to bring them up on fedora-selinux-list.