Major update of SELinux policy, supporting accessing data on NFS/CIFS

shares and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP servers Fix for SELinux policy on Fedora 7, which didn't work due to changes in the permissions macros in the underlying selinux-policy package Add RHEL5 with SELinux support Rename README.Fedora to README.RPM
2007-06-15 16:56:23 +00:00 · 2007-06-15 16:56:23 +00:00 · 1f1b1ebd62
commit 1f1b1ebd62
parent dd0b463620
3 changed files with 156 additions and 13 deletions
--- a/fastcgi-2.5.te
+++ b/fastcgi-2.5.te
@ -0,0 +1,126 @@
+policy_module(fastcgi, 0.2.0)
+
+type httpd_fastcgi_sock_t;
+files_type(httpd_fastcgi_sock_t)
+
+require {
+	type devpts_t;
+	type httpd_t;
+	type httpd_config_t;
+	type httpd_log_t;
+	type httpd_sys_script_exec_t;
+	type httpd_sys_content_t;
+};
+
+# ==========================================================
+# Create and use httpd_fastcgi_script_t for mod_fcgid apps
+# ==========================================================
+
+apache_content_template(fastcgi)
+kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
+
+## <desc>
+## <p>
+## Allow FastCGI applications to write to public content 
+## </p>
+## </desc>
+gen_tunable(allow_httpd_fastcgi_script_anon_write,false)
+
+## <desc>
+## <p>
+## Allow FastCGI applications to make outbound SMTP connections
+## </p>
+## </desc>
+gen_tunable(httpd_fastcgi_can_sendmail,false)
+
+tunable_policy(`allow_httpd_fastcgi_script_anon_write',`
+	miscfiles_manage_public_files(httpd_fastcgi_script_t)
+')
+
+tunable_policy(`httpd_fastcgi_can_sendmail',`
+	corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
+	corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
+')
+
+# Allow FastCGI applications to do DNS lookups
+sysnet_dns_name_resolve(httpd_fastcgi_script_t)
+
+# Allow FastCGI applications to live alongside regular CGI apps
+allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
+allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
+
+# Allow FastCGI applications to read the routing table
+allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
+
+# Allow httpd to create and use sockets for communicating with mod_fcgid
+manage_sock_files_pattern(httpd_t,httpd_fastcgi_sock_t,httpd_fastcgi_sock_t)
+allow httpd_t httpd_fastcgi_sock_t:dir { setattr };
+
+# Allow httpd to read httpd_fastcgi_content_t
+allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
+read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
+
+# Allow FastCGI applications to listen for FastCGI requests on their
+# sockets and respond to them
+allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
+
+# FastCGI application doing something to the httpd error log
+dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
+
+# Not sure what this is doing (happens when fastcgi scripts start)
+dontaudit httpd_t devpts_t:chr_file ioctl;
+
+# ======================================================
+# Equivalent policy cribbed from httpd_sys_script_t
+# ======================================================
+
+dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
+
+fs_search_auto_mountpoints(httpd_fastcgi_script_t)
+
+files_search_var_lib(httpd_fastcgi_script_t)
+files_search_spool(httpd_fastcgi_script_t)
+
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
+
+ifdef(`distro_redhat',`
+	allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
+')
+
+ifdef(`targeted_policy',`
+	tunable_policy(`httpd_enable_homedirs',`
+		userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
+	')
+')
+
+tunable_policy(`httpd_use_nfs', `
+	fs_read_nfs_files(httpd_fastcgi_script_t)
+	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_fastcgi_script_t)
+	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
+')
+
+tunable_policy(`httpd_use_cifs', `
+	fs_read_cifs_files(httpd_fastcgi_script_t)
+	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_fastcgi_script_t)
+	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(httpd_fastcgi_script_t)
+	mysql_rw_db_sockets(httpd_fastcgi_script_t)
+')
+
+optional_policy(`
+	clamav_domtrans_clamscan(httpd_fastcgi_script_t)
+')
+
--- a/mod_fcgid-2.1-README.Fedora
+++ b/mod_fcgid-2.1-README.Fedora
@ -1,5 +1,5 @@
-Using mod_fcgid in Fedora
-=========================
+Using the mod_fcgid RPM Package
+===============================

 This mod_fcgid package includes a configuration file
 /etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and
@ -56,9 +56,9 @@ CGI application.
      </Directory>
    </IfModule>

- * If you are using SELinux with Fedora Core 5 or later, install the
-   mod_fcgid-selinux package and see the README.SELinux file in that package
-   for details of the file contexts to use
+ * If you are using SELinux with Fedora Core 5 or later, or Red Hat Enterprise
+   Linux 5 or later, install the mod_fcgid-selinux package and see the
+   README.SELinux file in that package for details of the file contexts to use

 * Restart the web server to load the new configuration:

--- a/mod_fcgid.spec
+++ b/mod_fcgid.spec
@ -1,5 +1,5 @@
-# FC5 and later include SELinux policy module packages
-%if 0%{?fedora} < 5
+# FC5, RHEL5 and later include SELinux policy module packages
+%if 0%{?fedora}%{?rhel} < 5
 %define selinux_module 0
 %define selinux_variants %{nil}
 %define selinux_buildreqs %{nil}
@ -11,7 +11,7 @@

 Name:           mod_fcgid
 Version:        2.1
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        Apache2 module for high-performance server-side scripting 
 Group:          System Environment/Daemons
 License:        GPL
@ -20,10 +20,11 @@ Source0:        http://dl.sf.net/mod-fcgid/mod_fcgid.%{version}.tar.gz
 Source1:        fcgid.conf
 Source2:        fastcgi.te
 Source3:        fastcgi.fc
-Source4:        mod_fcgid-2.1-README.Fedora
+Source4:        mod_fcgid-2.1-README.RPM
 Source5:        http://fastcgi.coremail.cn/doc.htm
 Source6:        http://fastcgi.coremail.cn/configuration.htm
 Source7:        mod_fcgid-2.1-README.SELinux
+Source8:        fastcgi-2.5.te
 Patch0:         mod_fcgid.2.1-docurls.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  httpd-devel >= 2.0
@ -36,7 +37,8 @@ the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon
 as possible.

 %if %{selinux_module}
-%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
+%define selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
+%define selinux_policynum %(echo %{selinux_policyver} | %{__awk} -F. '{ printf "%d%02d%02d", $1, $2, $3 }')
 %package selinux
 Summary:          SELinux policy module supporting FastCGI applications with mod_fcgid
 Group:            System Environment/Base
@ -61,9 +63,13 @@ SELinux policy module supporting FastCGI applications with mod_fcgid.
 %prep
 %setup -q -n mod_fcgid.%{version}
 %{__cp} -p %{SOURCE1} fcgid.conf
+%if 0%{?selinux_policynum} < 20501
 %{__cp} -p %{SOURCE2} fastcgi.te
+%else
+%{__cp} -p %{SOURCE8} fastcgi.te
+%endif
 %{__cp} -p %{SOURCE3} fastcgi.fc
-%{__cp} -p %{SOURCE4} README.Fedora
+%{__cp} -p %{SOURCE4} README.RPM
 %{__cp} -p %{SOURCE5} directives.htm
 %{__cp} -p %{SOURCE6} configuration.htm
 %{__cp} -p %{SOURCE7} README.SELinux
@ -136,10 +142,10 @@ fi
 %files
 %defattr(-,root,root,-)
 %doc ChangeLog AUTHOR COPYING configuration.htm directives.htm
-%doc README.Fedora
+%doc README.RPM
 %{_libdir}/httpd/modules/mod_fcgid.so
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/fcgid.conf
-%dir %attr(0755,apache,apache) %{_localstatedir}/run/mod_fcgid
+%dir %attr(0755,apache,apache) %{_localstatedir}/run/mod_fcgid/

 %if %{selinux_module}
 %files selinux
@ -149,6 +155,17 @@ fi
 %endif

 %changelog
+* Fri Jun 15 2007 Paul Howarth <paul@city-fan.org> 2.1-3
+- Major update of SELinux policy, supporting accessing data on NFS/CIFS shares
+  and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP
+  servers
+- Fix for SELinux policy on Fedora 7, which didn't work due to changes in the
+  permissions macros in the underlying selinux-policy package
+
+* Wed Mar 21 2007 Paul Howarth <paul@city-fan.org> 2.1-2
+- Add RHEL5 with SELinux support
+- Rename README.Fedora to README.RPM
+
 * Fri Feb 16 2007 Paul Howarth <paul@city-fan.org> 2.1-1
 - Update to 2.1
 - Update documentation and patches