rpms/mod_fcgid
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Major update of SELinux policy, supporting accessing data on NFS/CIFS

Browse Source 
shares and a new boolean, httpd_fastcgi_can_sendmail, to allow
    connections to SMTP servers
Fix for SELinux policy on Fedora 7, which didn't work due to changes in the
    permissions macros in the underlying selinux-policy package
Add RHEL5 with SELinux support
Rename README.Fedora to README.RPM
This commit is contained in:
Paul Howarth 2007-06-15 16:56:23 +00:00
parent dd0b463620
commit 1f1b1ebd62
3 changed files with 156 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
fastcgi-2.5.te Normal file
View File

@ -0,0 +1,126 @@
policy_module(fastcgi, 0.2.0)
type httpd_fastcgi_sock_t;
files_type(httpd_fastcgi_sock_t)
require {
type devpts_t;
type httpd_t;
type httpd_config_t;
type httpd_log_t;
type httpd_sys_script_exec_t;
type httpd_sys_content_t;
};
# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================
apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
## <desc>
## <p>
## Allow FastCGI applications to write to public content
## </p>
## </desc>
gen_tunable(allow_httpd_fastcgi_script_anon_write,false)
## <desc>
## <p>
## Allow FastCGI applications to make outbound SMTP connections
## </p>
## </desc>
gen_tunable(httpd_fastcgi_can_sendmail,false)
tunable_policy(`allow_httpd_fastcgi_script_anon_write',`
miscfiles_manage_public_files(httpd_fastcgi_script_t)
')
tunable_policy(`httpd_fastcgi_can_sendmail',`
corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
')
# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_fastcgi_script_t)
# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
# Allow FastCGI applications to read the routing table
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
# Allow httpd to create and use sockets for communicating with mod_fcgid
manage_sock_files_pattern(httpd_t,httpd_fastcgi_sock_t,httpd_fastcgi_sock_t)
allow httpd_t httpd_fastcgi_sock_t:dir { setattr };
# Allow httpd to read httpd_fastcgi_content_t
allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;
# ======================================================
# Equivalent policy cribbed from httpd_sys_script_t
# ======================================================
dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
fs_search_auto_mountpoints(httpd_fastcgi_script_t)
files_search_var_lib(httpd_fastcgi_script_t)
files_search_spool(httpd_fastcgi_script_t)
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
ifdef(`distro_redhat',`
allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
')
ifdef(`targeted_policy',`
tunable_policy(`httpd_enable_homedirs',`
userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
')
')
tunable_policy(`httpd_use_nfs', `
fs_read_nfs_files(httpd_fastcgi_script_t)
fs_read_nfs_symlinks(httpd_fastcgi_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_fastcgi_script_t)
fs_read_nfs_symlinks(httpd_fastcgi_script_t)
')
tunable_policy(`httpd_use_cifs', `
fs_read_cifs_files(httpd_fastcgi_script_t)
fs_read_cifs_symlinks(httpd_fastcgi_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_fastcgi_script_t)
fs_read_cifs_symlinks(httpd_fastcgi_script_t)
')
optional_policy(`
mysql_stream_connect(httpd_fastcgi_script_t)
mysql_rw_db_sockets(httpd_fastcgi_script_t)
')
optional_policy(`
clamav_domtrans_clamscan(httpd_fastcgi_script_t)
')

10
mod_fcgid-2.1-README.Fedora → mod_fcgid-2.1-README.RPM
View File

@ -1,5 +1,5 @@
Using mod_fcgid in Fedora Using the mod_fcgid RPM Package
========================= ===============================
This mod_fcgid package includes a configuration file This mod_fcgid package includes a configuration file
/etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and /etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and
@ -56,9 +56,9 @@ CGI application.
</Directory> </Directory>
</IfModule> </IfModule>
* If you are using SELinux with Fedora Core 5 or later, install the * If you are using SELinux with Fedora Core 5 or later, or Red Hat Enterprise
mod_fcgid-selinux package and see the README.SELinux file in that package Linux 5 or later, install the mod_fcgid-selinux package and see the
for details of the file contexts to use README.SELinux file in that package for details of the file contexts to use
* Restart the web server to load the new configuration: * Restart the web server to load the new configuration:

33
mod_fcgid.spec
View File

@ -1,5 +1,5 @@
# FC5 and later include SELinux policy module packages # FC5, RHEL5 and later include SELinux policy module packages
%if 0%{?fedora} < 5 %if 0%{?fedora}%{?rhel} < 5
%define selinux_module 0 %define selinux_module 0
%define selinux_variants %{nil} %define selinux_variants %{nil}
%define selinux_buildreqs %{nil} %define selinux_buildreqs %{nil}
@ -11,7 +11,7 @@
Name: mod_fcgid Name: mod_fcgid
Version: 2.1 Version: 2.1
Release: 1%{?dist} Release: 3%{?dist}
Summary: Apache2 module for high-performance server-side scripting Summary: Apache2 module for high-performance server-side scripting
Group: System Environment/Daemons Group: System Environment/Daemons
License: GPL License: GPL
@ -20,10 +20,11 @@ Source0: http://dl.sf.net/mod-fcgid/mod_fcgid.%{version}.tar.gz
Source1: fcgid.conf Source1: fcgid.conf
Source2: fastcgi.te Source2: fastcgi.te
Source3: fastcgi.fc Source3: fastcgi.fc
Source4: mod_fcgid-2.1-README.Fedora Source4: mod_fcgid-2.1-README.RPM
Source5: http://fastcgi.coremail.cn/doc.htm Source5: http://fastcgi.coremail.cn/doc.htm
Source6: http://fastcgi.coremail.cn/configuration.htm Source6: http://fastcgi.coremail.cn/configuration.htm
Source7: mod_fcgid-2.1-README.SELinux Source7: mod_fcgid-2.1-README.SELinux
Source8: fastcgi-2.5.te
Patch0: mod_fcgid.2.1-docurls.patch Patch0: mod_fcgid.2.1-docurls.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: httpd-devel >= 2.0 BuildRequires: httpd-devel >= 2.0
@ -36,7 +37,8 @@ the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon
as possible. as possible.
%if %{selinux_module} %if %{selinux_module}
%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp) %define selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
%define selinux_policynum %(echo %{selinux_policyver} | %{__awk} -F. '{ printf "%d%02d%02d", $1, $2, $3 }')
%package selinux %package selinux
Summary: SELinux policy module supporting FastCGI applications with mod_fcgid Summary: SELinux policy module supporting FastCGI applications with mod_fcgid
Group: System Environment/Base Group: System Environment/Base
@ -61,9 +63,13 @@ SELinux policy module supporting FastCGI applications with mod_fcgid.
%prep %prep
%setup -q -n mod_fcgid.%{version} %setup -q -n mod_fcgid.%{version}
%{__cp} -p %{SOURCE1} fcgid.conf %{__cp} -p %{SOURCE1} fcgid.conf
%if 0%{?selinux_policynum} < 20501
%{__cp} -p %{SOURCE2} fastcgi.te %{__cp} -p %{SOURCE2} fastcgi.te
%else
%{__cp} -p %{SOURCE8} fastcgi.te
%endif
%{__cp} -p %{SOURCE3} fastcgi.fc %{__cp} -p %{SOURCE3} fastcgi.fc
%{__cp} -p %{SOURCE4} README.Fedora %{__cp} -p %{SOURCE4} README.RPM
%{__cp} -p %{SOURCE5} directives.htm %{__cp} -p %{SOURCE5} directives.htm
%{__cp} -p %{SOURCE6} configuration.htm %{__cp} -p %{SOURCE6} configuration.htm
%{__cp} -p %{SOURCE7} README.SELinux %{__cp} -p %{SOURCE7} README.SELinux
@ -136,10 +142,10 @@ fi
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc ChangeLog AUTHOR COPYING configuration.htm directives.htm %doc ChangeLog AUTHOR COPYING configuration.htm directives.htm
%doc README.Fedora %doc README.RPM
%{_libdir}/httpd/modules/mod_fcgid.so %{_libdir}/httpd/modules/mod_fcgid.so
%config(noreplace) %{_sysconfdir}/httpd/conf.d/fcgid.conf %config(noreplace) %{_sysconfdir}/httpd/conf.d/fcgid.conf
%dir %attr(0755,apache,apache) %{_localstatedir}/run/mod_fcgid %dir %attr(0755,apache,apache) %{_localstatedir}/run/mod_fcgid/
%if %{selinux_module} %if %{selinux_module}
%files selinux %files selinux
@ -149,6 +155,17 @@ fi
%endif %endif
%changelog %changelog
* Fri Jun 15 2007 Paul Howarth <paul@city-fan.org> 2.1-3
- Major update of SELinux policy, supporting accessing data on NFS/CIFS shares
and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP
servers
- Fix for SELinux policy on Fedora 7, which didn't work due to changes in the
permissions macros in the underlying selinux-policy package
* Wed Mar 21 2007 Paul Howarth <paul@city-fan.org> 2.1-2
- Add RHEL5 with SELinux support
- Rename README.Fedora to README.RPM
* Fri Feb 16 2007 Paul Howarth <paul@city-fan.org> 2.1-1 * Fri Feb 16 2007 Paul Howarth <paul@city-fan.org> 2.1-1
- Update to 2.1 - Update to 2.1
- Update documentation and patches - Update documentation and patches