diff --git a/fastcgi-2.5.te b/fastcgi-2.5.te index 6f95d7a..c691308 100644 --- a/fastcgi-2.5.te +++ b/fastcgi-2.5.te @@ -3,6 +3,8 @@ # packages for Fedora 5 onwards, and is a stepping stone to the merged policy included # as updates for selinux-policy in Fedora 8, 9, and 10. # +# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy +# # Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, # which is now an alias for httpd_sys_script_t. @@ -11,7 +13,6 @@ policy_module(fastcgi, 0.2.6) require { type devpts_t; type httpd_t; - type httpd_config_t; type httpd_log_t; type httpd_sys_content_t; type httpd_sys_content_ra_t; @@ -38,32 +39,17 @@ typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; typealias httpd_sys_script_t alias httpd_fastcgi_script_t; typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; - # ========================================================== # Re-use httpd_sys_script_t for mod_fcgid apps # ========================================================== -# Included in selinux-policy 2.6.4 (F7) -#kernel_read_kernel_sysctls(httpd_sys_script_t) - -# Allow FastCGI applications to do DNS lookups -sysnet_dns_name_resolve(httpd_sys_script_t) - -# Allow FastCGI applications to read the routing table -allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms }; +# Allow web applications to call getpw* functions +auth_use_nsswitch(httpd_sys_script_t) # Allow httpd to create and use files and sockets for communicating with mod_fcgid -# Included in selinux-policy 2.6.4 (F7) apart from dir setattr -#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) -#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) +# Rules to do this are already in selinux-policy apart from dir setattr setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) -# Allow httpd to read httpd_sys_content_t -# Included in selinux-policy 2.6.4 (F7) -#allow httpd_t httpd_sys_content_t:dir list_dir_perms; -#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) -#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) - # Allow FastCGI applications to listen for FastCGI requests on their # sockets and respond to them allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; @@ -72,66 +58,6 @@ allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; dontaudit httpd_t devpts_t:chr_file ioctl; dontaudit httpd_sys_script_t httpd_log_t:file ioctl; -# ====================================================== -# Rules cribbed from recent httpd_sys_script_t policy -# ====================================================== - -# Included in selinux-policy 2.6.4 (F7) -#dontaudit httpd_sys_script_t httpd_config_t:dir search; -# -#fs_search_auto_mountpoints(httpd_sys_script_t) - # PHP uploads a file to /tmp and then execs programs to action them -# Included in selinux-policy 2.6.4 (F7) apart from filetrans -#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) -#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) +# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) - -# Included in selinux-policy 2.6.4 (F7) -#files_search_var_lib(httpd_sys_script_t) -#files_search_spool(httpd_sys_script_t) - -# Should we add a boolean? -# Included in selinux-policy 2.6.4 (F7) -#apache_domtrans_rotatelogs(httpd_sys_script_t) - -# Included in selinux-policy 2.6.4 (F7) -#ifdef(`distro_redhat',` -# allow httpd_sys_script_t httpd_log_t:file { getattr append }; -#') -# -#ifdef(`targeted_policy',` -# tunable_policy(`httpd_enable_homedirs',` -# userdom_search_generic_user_home_dirs(httpd_sys_script_t) -# ') -#') -# -#tunable_policy(`httpd_use_nfs', ` -# fs_read_nfs_files(httpd_sys_script_t) -# fs_read_nfs_symlinks(httpd_sys_script_t) -#') -# -#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -# fs_read_nfs_files(httpd_sys_script_t) -# fs_read_nfs_symlinks(httpd_sys_script_t) -#') -# -#tunable_policy(`httpd_use_cifs', ` -# fs_read_cifs_files(httpd_sys_script_t) -# fs_read_cifs_symlinks(httpd_sys_script_t) -#') -# -#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` -# fs_read_cifs_files(httpd_sys_script_t) -# fs_read_cifs_symlinks(httpd_sys_script_t) -#') -# -#optional_policy(` -# mysql_stream_connect(httpd_sys_script_t) -# mysql_rw_db_sockets(httpd_sys_script_t) -#') -# -#optional_policy(` -# clamav_domtrans_clamscan(httpd_sys_script_t) -#') - diff --git a/fastcgi.te b/fastcgi.te index b16cc87..ced8eb5 100644 --- a/fastcgi.te +++ b/fastcgi.te @@ -1,17 +1,18 @@ -policy_module(fastcgi, 0.1.10) - # This policy module provides support for mod_fcgid using the httpd system script domain. # It provides "allow" rules that will overlap to varying degrees with selinux-policy # packages for Fedora 5 onwards, and is a stepping stone to the merged policy included # as updates for selinux-policy in Fedora 8, 9, and 10. # +# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy +# # Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, # which is now an alias for httpd_sys_script_t. +policy_module(fastcgi, 0.1.10) + require { type devpts_t; type httpd_t; - #type httpd_config_t; type httpd_log_t; type httpd_sys_content_t; type httpd_sys_content_ra_t; @@ -42,29 +43,15 @@ typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; # Re-use httpd_sys_script_t for mod_fcgid apps # ========================================================== -# Included in selinux-policy 2.3.7 (FC5) -#kernel_read_kernel_sysctls(httpd_sys_script_t) - -# Allow FastCGI applications to do DNS lookups -sysnet_dns_name_resolve(httpd_sys_script_t) - -# Allow FastCGI applications to read the routing table -allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms }; +# Allow web applications to call getpw* functions +auth_use_nsswitch(httpd_sys_script_t) +#sysnet_dns_name_resolve(httpd_sys_script_t) +#allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms }; # Allow httpd to create and use files and sockets for communicating with mod_fcgid -# Included in selinux-policy 2.3.7 (FC5) apart from dir setattr -#allow httpd_t httpd_var_run_t:dir { rw_dir_perms setattr }; -#allow httpd_t httpd_var_run_t:file { create_file_perms }; -#allow httpd_t httpd_var_run_t:sock_file { create_file_perms }; +# Rules to do this are already in selinux-policy apart from dir setattr allow httpd_t httpd_var_run_t:dir setattr; -# Allow httpd to read httpd_sys_content_t -# (shouldn't this be in the content template?) -# Included in selinux-policy 2.3.7 (FC5) -#allow httpd_t httpd_sys_content_t:dir r_dir_perms; -#allow httpd_t httpd_sys_content_t:file r_file_perms; -#allow httpd_t httpd_sys_content_t:lnk_file { getattr read }; - # Allow FastCGI applications to listen for FastCGI requests on their # sockets and respond to them allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; @@ -73,13 +60,7 @@ allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; dontaudit httpd_t devpts_t:chr_file ioctl; dontaudit httpd_sys_script_t httpd_log_t:file ioctl; -# ====================================================== -# Rules cribbed from recent httpd_sys_script_t policy -# ====================================================== - -# Included in selinux-policy 2.3.7 (FC5) -#dontaudit httpd_sys_script_t httpd_config_t:dir search; - +# Search automount filesystem to use automatically mounted filesystems fs_search_auto_mountpoints(httpd_sys_script_t) # PHP uploads a file to /tmp and then execs programs to action them @@ -87,42 +68,12 @@ allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms; allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms; files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) -# Included in selinux-policy 2.3.7 (FC5) -#files_search_var_lib(httpd_sys_script_t) -#files_search_spool(httpd_sys_script_t) - -# Should we add a boolean? -# Included in selinux-policy 2.3.7 (FC5) -#apache_domtrans_rotatelogs(httpd_sys_script_t) - -# Included in selinux-policy 2.3.7 (FC5) -#ifdef(`distro_redhat',` -# allow httpd_sys_script_t httpd_log_t:file { getattr append }; -#') -# -#ifdef(`targeted_policy',` -# tunable_policy(`httpd_enable_homedirs',` -# userdom_search_generic_user_home_dirs(httpd_sys_script_t) -# ') -#') - +# Support network home directories tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) ') - -# Included in selinux-policy 2.3.7 (FC5) -#optional_policy(` -# mysql_stream_connect(httpd_sys_script_t) -# mysql_rw_db_sockets(httpd_sys_script_t) -#') -# -#optional_policy(` -# clamav_domtrans_clamscan(httpd_sys_script_t) -#') - diff --git a/mod_fcgid.spec b/mod_fcgid.spec index 2cf44c4..0b93f2b 100644 --- a/mod_fcgid.spec +++ b/mod_fcgid.spec @@ -1,14 +1,15 @@ # Fedora 5,6,7 and EPEL5 versions includes SELinux policy module package # Fedora 8,9,10 versions will include policy in errata selinux-policy releases %if 0%{?fedora}%{?rhel} < 5 -%define selinux_module 0 -%define selinux_variants %{nil} -%define selinux_buildreqs %{nil} +%global selinux_module 0 +%global selinux_variants %{nil} +%global selinux_buildreqs %{nil} %else # Temporarily build merged policy to make sure it works -%define selinux_module 1 -%define selinux_variants mls strict targeted -%define selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink +%global selinux_module 1 +%global selinux_types %(%{__awk} '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null) +%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types}) +%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink %endif Name: mod_fcgid @@ -160,6 +161,7 @@ exit 0 * Tue Oct 21 2008 Paul Howarth 2.2-6 - SELinux policy module rewritten to merge fastcgi and system script domains in preparation for merge into main selinux-policy package (#462318) +- Try to determine supported SELinux policy types by reading /etc/selinux/config * Thu Jul 24 2008 Paul Howarth 2.2-5 - Tweak selinux-policy version detection macro to work with current Rawhide