Forgot a couple of doc updates...

fastcgi.te

@@ -1,4 +1,4 @@
-policy_module(fastcgi, 0.1.6)
+policy_module(fastcgi, 0.1.7)
 
 type httpd_fastcgi_sock_t;
 files_type(httpd_fastcgi_sock_t)
@@ -19,6 +19,18 @@ require {
 apache_content_template(fastcgi)
 kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
 
+## <desc>
+## <p>
+## Allow FastCGI applications to make outbound SMTP connections
+## </p>
+## </desc>
+gen_tunable(httpd_fastcgi_can_sendmail,false)
+
+tunable_policy(`httpd_fastcgi_can_sendmail',`
+	corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
+	corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
+')
+
 # Allow FastCGI applications to do DNS lookups
 sysnet_dns_name_resolve(httpd_fastcgi_script_t)
 
@@ -55,9 +67,14 @@ dontaudit httpd_t devpts_t:chr_file ioctl;
 
 dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
 
+fs_search_auto_mountpoints(httpd_fastcgi_script_t)
+
 files_search_var_lib(httpd_fastcgi_script_t)
 files_search_spool(httpd_fastcgi_script_t)
 
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
+
 ifdef(`distro_redhat',`
 	allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
 ')
@@ -68,8 +85,22 @@ ifdef(`targeted_policy',`
 	')
 ')
 
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_fastcgi_script_t)
+	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_fastcgi_script_t)
+	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
+')
+
 optional_policy(`
 	mysql_stream_connect(httpd_fastcgi_script_t)
 	mysql_rw_db_sockets(httpd_fastcgi_script_t)
 ')
 
+optional_policy(`
+	clamav_domtrans_clamscan(httpd_fastcgi_script_t)
+')
+

mod_fcgid-2.1-README.SELinux

@@ -1,10 +1,11 @@
-Using mod_fcgid with SELinux in Fedora Core 5 onwards
+Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
-=====================================================
+==============================================================
 
-Versions of this package built for Fedora Core 5 or later include an SELinux
+Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5
-policy module to support FastCGI applications. This has only been tested so far
+or later include an SELinux policy module to support FastCGI applications.
-with moin, so feedback from other applications is welcome. The intention is for
+This has only been tested so far with moin, so feedback from other applications
-this module to be included in the SELinux reference policy eventually.
+is welcome. The intention is for this module to be included in the SELinux
+reference policy eventually.
 
 The module source (fastcgi.{fc,te}) is included for reference as documentation
 in the package.
@@ -36,7 +37,7 @@ scripts (or "system scripts" as they are known in SELinux):
    httpd_fastcgi_script_exec_t scripts to read/append to the file, and
    disallow other non-fastcgi scripts from access.
 
-So for the moin wiki layout described in README.Fedora of the main mod_fcgid
+So for the moin wiki layout described in README.RPM of the main mod_fcgid
 package, the contexts would be set as follows:
 
     cd /var/www/mywiki
@@ -56,6 +57,16 @@ contexts for everything else set to the "sys" types if you prefer. This is
 useful if you have a mixture of CGI and FastCGI applications accessing the
 same data.
 
+The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your
+FastCGI applications can make outbound SMTP connections (e.g. moin sending
+notifications). By default it is off, but can be enabled as follows:
+
+    setsebool -P httpd_fastcgi_can_sendmail 1
+
+Only enable this functionality if you actually need it, since it increases the
+chances that any vulnerability in any of your FastCGI applications could be
+exploited by a spammer.
+
 If you have any questions or issues regarding FastCGI and SELinux, please don't
 hesitate to bring them up on fedora-selinux-list.