Merge fastcgi SELinux policy with system script policy
This commit is contained in:
Paul Howarth
parent
9906fbf7c2
commit
ab94cf9fd0
192
fastcgi-2.5.te
192
fastcgi-2.5.te
@ -1,131 +1,137 @@
|
||||
policy_module(fastcgi, 0.2.2)
|
||||
# This policy module provides support for mod_fcgid using the httpd system script domain.
|
||||
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
|
||||
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
|
||||
# as updates for selinux-policy in Fedora 8, 9, and 10.
|
||||
#
|
||||
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
|
||||
# which is now an alias for httpd_sys_script_t.
|
||||
|
||||
type httpd_fastcgi_var_run_t;
|
||||
files_type(httpd_fastcgi_var_run_t)
|
||||
policy_module(fastcgi, 0.2.6)
|
||||
|
||||
require {
|
||||
type devpts_t;
|
||||
type httpd_t;
|
||||
type httpd_config_t;
|
||||
type httpd_log_t;
|
||||
type httpd_sys_script_exec_t;
|
||||
type httpd_sys_content_t;
|
||||
type httpd_sys_content_ra_t;
|
||||
type httpd_sys_content_ro_t;
|
||||
type httpd_sys_content_rw_t;
|
||||
type httpd_sys_script_exec_t;
|
||||
type httpd_sys_script_ra_t;
|
||||
type httpd_sys_script_ro_t;
|
||||
type httpd_sys_script_rw_t;
|
||||
type httpd_sys_script_t;
|
||||
type httpd_tmp_t;
|
||||
type httpd_var_run_t;
|
||||
};
|
||||
|
||||
# Type aliases for contexts used with older policy modules
|
||||
typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
|
||||
typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;
|
||||
typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;
|
||||
typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
|
||||
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||
typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
|
||||
typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
|
||||
typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
|
||||
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
||||
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
||||
|
||||
|
||||
# ==========================================================
|
||||
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
|
||||
# Re-use httpd_sys_script_t for mod_fcgid apps
|
||||
# ==========================================================
|
||||
|
||||
apache_content_template(fastcgi)
|
||||
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow FastCGI applications to write to public content
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_httpd_fastcgi_script_anon_write,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow FastCGI applications to make outbound SMTP connections
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_fastcgi_can_sendmail,false)
|
||||
|
||||
tunable_policy(`allow_httpd_fastcgi_script_anon_write',`
|
||||
miscfiles_manage_public_files(httpd_fastcgi_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_fastcgi_can_sendmail',`
|
||||
corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
|
||||
corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
|
||||
')
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
|
||||
# Allow FastCGI applications to do DNS lookups
|
||||
sysnet_dns_name_resolve(httpd_fastcgi_script_t)
|
||||
|
||||
# Allow FastCGI applications to live alongside regular CGI apps
|
||||
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
|
||||
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
|
||||
sysnet_dns_name_resolve(httpd_sys_script_t)
|
||||
|
||||
# Allow FastCGI applications to read the routing table
|
||||
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
|
||||
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
|
||||
manage_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
|
||||
manage_sock_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
|
||||
setattr_dirs_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
|
||||
# Included in selinux-policy 2.6.4 (F7) apart from dir setattr
|
||||
#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
|
||||
#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
|
||||
setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
|
||||
|
||||
# Allow httpd to read httpd_fastcgi_content_t
|
||||
allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
|
||||
read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
|
||||
# Allow httpd to read httpd_sys_content_t
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#allow httpd_t httpd_sys_content_t:dir list_dir_perms;
|
||||
#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
|
||||
#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
|
||||
|
||||
# Allow FastCGI applications to listen for FastCGI requests on their
|
||||
# sockets and respond to them
|
||||
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
|
||||
# These are probably leaked file descriptors
|
||||
dontaudit httpd_t devpts_t:chr_file ioctl;
|
||||
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
|
||||
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
|
||||
|
||||
# ======================================================
|
||||
# Equivalent policy cribbed from httpd_sys_script_t
|
||||
# Rules cribbed from recent httpd_sys_script_t policy
|
||||
# ======================================================
|
||||
|
||||
dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
|
||||
|
||||
fs_search_auto_mountpoints(httpd_fastcgi_script_t)
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
#
|
||||
#fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
|
||||
# PHP uploads a file to /tmp and then execs programs to action them
|
||||
manage_dirs_pattern(httpd_fastcgi_script_t,httpd_tmp_t,httpd_tmp_t)
|
||||
manage_files_pattern(httpd_fastcgi_script_t,httpd_tmp_t,httpd_tmp_t)
|
||||
files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
||||
# Included in selinux-policy 2.6.4 (F7) apart from filetrans
|
||||
#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
|
||||
#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
|
||||
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
files_search_var_lib(httpd_fastcgi_script_t)
|
||||
files_search_spool(httpd_fastcgi_script_t)
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#files_search_var_lib(httpd_sys_script_t)
|
||||
#files_search_spool(httpd_sys_script_t)
|
||||
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_use_nfs', `
|
||||
fs_read_nfs_files(httpd_fastcgi_script_t)
|
||||
fs_read_nfs_symlinks(httpd_fastcgi_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(httpd_fastcgi_script_t)
|
||||
fs_read_nfs_symlinks(httpd_fastcgi_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_use_cifs', `
|
||||
fs_read_cifs_files(httpd_fastcgi_script_t)
|
||||
fs_read_cifs_symlinks(httpd_fastcgi_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_fastcgi_script_t)
|
||||
fs_read_cifs_symlinks(httpd_fastcgi_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_fastcgi_script_t)
|
||||
mysql_rw_db_sockets(httpd_fastcgi_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
clamav_domtrans_clamscan(httpd_fastcgi_script_t)
|
||||
')
|
||||
# Included in selinux-policy 2.6.4 (F7)
|
||||
#ifdef(`distro_redhat',`
|
||||
# allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
||||
#')
|
||||
#
|
||||
#ifdef(`targeted_policy',`
|
||||
# tunable_policy(`httpd_enable_homedirs',`
|
||||
# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
|
||||
# ')
|
||||
#')
|
||||
#
|
||||
#tunable_policy(`httpd_use_nfs', `
|
||||
# fs_read_nfs_files(httpd_sys_script_t)
|
||||
# fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
# fs_read_nfs_files(httpd_sys_script_t)
|
||||
# fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#tunable_policy(`httpd_use_cifs', `
|
||||
# fs_read_cifs_files(httpd_sys_script_t)
|
||||
# fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
# fs_read_cifs_files(httpd_sys_script_t)
|
||||
# fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#optional_policy(`
|
||||
# mysql_stream_connect(httpd_sys_script_t)
|
||||
# mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#optional_policy(`
|
||||
# clamav_domtrans_clamscan(httpd_sys_script_t)
|
||||
#')
|
||||
|
||||
|
||||
@ -1 +1 @@
|
||||
/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_fastcgi_var_run_t,s0)
|
||||
/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
|
||||
147
fastcgi.te
147
fastcgi.te
@ -1,111 +1,128 @@
|
||||
policy_module(fastcgi, 0.1.9)
|
||||
policy_module(fastcgi, 0.1.10)
|
||||
|
||||
type httpd_fastcgi_var_run_t;
|
||||
files_type(httpd_fastcgi_var_run_t)
|
||||
# This policy module provides support for mod_fcgid using the httpd system script domain.
|
||||
# It provides "allow" rules that will overlap to varying degrees with selinux-policy
|
||||
# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
|
||||
# as updates for selinux-policy in Fedora 8, 9, and 10.
|
||||
#
|
||||
# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
|
||||
# which is now an alias for httpd_sys_script_t.
|
||||
|
||||
require {
|
||||
type devpts_t;
|
||||
type httpd_t;
|
||||
type httpd_config_t;
|
||||
#type httpd_config_t;
|
||||
type httpd_log_t;
|
||||
type httpd_sys_script_exec_t;
|
||||
type httpd_sys_content_t;
|
||||
type httpd_sys_content_ra_t;
|
||||
type httpd_sys_content_ro_t;
|
||||
type httpd_sys_content_rw_t;
|
||||
type httpd_sys_script_exec_t;
|
||||
type httpd_sys_script_ra_t;
|
||||
type httpd_sys_script_ro_t;
|
||||
type httpd_sys_script_rw_t;
|
||||
type httpd_sys_script_t;
|
||||
type httpd_tmp_t;
|
||||
type httpd_var_run_t;
|
||||
};
|
||||
|
||||
# Type aliases for contexts used with older policy modules
|
||||
typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
|
||||
typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;
|
||||
typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;
|
||||
typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
|
||||
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||
typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
|
||||
typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
|
||||
typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
|
||||
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
||||
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
||||
|
||||
# ==========================================================
|
||||
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
|
||||
# Re-use httpd_sys_script_t for mod_fcgid apps
|
||||
# ==========================================================
|
||||
|
||||
apache_content_template(fastcgi)
|
||||
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow FastCGI applications to make outbound SMTP connections
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_fastcgi_can_sendmail,false)
|
||||
|
||||
tunable_policy(`httpd_fastcgi_can_sendmail',`
|
||||
corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
|
||||
corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
|
||||
')
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
|
||||
# Allow FastCGI applications to do DNS lookups
|
||||
sysnet_dns_name_resolve(httpd_fastcgi_script_t)
|
||||
|
||||
# Allow FastCGI applications to live alongside regular CGI apps
|
||||
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
|
||||
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
|
||||
sysnet_dns_name_resolve(httpd_sys_script_t)
|
||||
|
||||
# Allow FastCGI applications to read the routing table
|
||||
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
|
||||
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
|
||||
allow httpd_t httpd_fastcgi_var_run_t:dir { rw_dir_perms setattr };
|
||||
allow httpd_t httpd_fastcgi_var_run_t:file { create_file_perms };
|
||||
allow httpd_t httpd_fastcgi_var_run_t:sock_file { create_file_perms };
|
||||
# Included in selinux-policy 2.3.7 (FC5) apart from dir setattr
|
||||
#allow httpd_t httpd_var_run_t:dir { rw_dir_perms setattr };
|
||||
#allow httpd_t httpd_var_run_t:file { create_file_perms };
|
||||
#allow httpd_t httpd_var_run_t:sock_file { create_file_perms };
|
||||
allow httpd_t httpd_var_run_t:dir setattr;
|
||||
|
||||
# Allow httpd to read httpd_fastcgi_content_t
|
||||
# Allow httpd to read httpd_sys_content_t
|
||||
# (shouldn't this be in the content template?)
|
||||
allow httpd_t httpd_fastcgi_content_t:dir r_dir_perms;
|
||||
allow httpd_t httpd_fastcgi_content_t:file r_file_perms;
|
||||
allow httpd_t httpd_fastcgi_content_t:lnk_file { getattr read };
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#allow httpd_t httpd_sys_content_t:dir r_dir_perms;
|
||||
#allow httpd_t httpd_sys_content_t:file r_file_perms;
|
||||
#allow httpd_t httpd_sys_content_t:lnk_file { getattr read };
|
||||
|
||||
# Allow FastCGI applications to listen for FastCGI requests on their
|
||||
# sockets and respond to them
|
||||
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
|
||||
# These are probably leaked file descriptors
|
||||
dontaudit httpd_t devpts_t:chr_file ioctl;
|
||||
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
|
||||
dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
|
||||
|
||||
# ======================================================
|
||||
# Equivalent policy cribbed from httpd_sys_script_t
|
||||
# Rules cribbed from recent httpd_sys_script_t policy
|
||||
# ======================================================
|
||||
|
||||
dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
fs_search_auto_mountpoints(httpd_fastcgi_script_t)
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
|
||||
# PHP uploads a file to /tmp and then execs programs to action them
|
||||
allow httpd_fastcgi_script_t httpd_tmp_t:dir manage_dir_perms;
|
||||
allow httpd_fastcgi_script_t httpd_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
||||
allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms;
|
||||
allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
files_search_var_lib(httpd_fastcgi_script_t)
|
||||
files_search_spool(httpd_fastcgi_script_t)
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#files_search_var_lib(httpd_sys_script_t)
|
||||
#files_search_spool(httpd_sys_script_t)
|
||||
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
|
||||
')
|
||||
')
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#ifdef(`distro_redhat',`
|
||||
# allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
||||
#')
|
||||
#
|
||||
#ifdef(`targeted_policy',`
|
||||
# tunable_policy(`httpd_enable_homedirs',`
|
||||
# userdom_search_generic_user_home_dirs(httpd_sys_script_t)
|
||||
# ')
|
||||
#')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(httpd_fastcgi_script_t)
|
||||
fs_read_nfs_symlinks(httpd_fastcgi_script_t)
|
||||
fs_read_nfs_files(httpd_sys_script_t)
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_fastcgi_script_t)
|
||||
fs_read_cifs_symlinks(httpd_fastcgi_script_t)
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_fastcgi_script_t)
|
||||
mysql_rw_db_sockets(httpd_fastcgi_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
clamav_domtrans_clamscan(httpd_fastcgi_script_t)
|
||||
')
|
||||
# Included in selinux-policy 2.3.7 (FC5)
|
||||
#optional_policy(`
|
||||
# mysql_stream_connect(httpd_sys_script_t)
|
||||
# mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
#')
|
||||
#
|
||||
#optional_policy(`
|
||||
# clamav_domtrans_clamscan(httpd_sys_script_t)
|
||||
#')
|
||||
|
||||
|
||||
@ -4,67 +4,60 @@ Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
|
||||
Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5
|
||||
or later include an SELinux policy module to support FastCGI applications.
|
||||
This has only been tested so far with moin, so feedback from other applications
|
||||
is welcome. The intention is for this module to be included in the SELinux
|
||||
reference policy eventually.
|
||||
is welcome. The policy included here is a transitional policy that will soon
|
||||
be included in the selinux-policy package for Fedora 8 onwards, and the
|
||||
mod_fcgid-selinux package will be obsoleted when that happens.
|
||||
|
||||
The module source (fastcgi.{fc,te}) is included for reference as documentation
|
||||
in the package.
|
||||
|
||||
The module introduces a new set of SELinux types for FastCGI applications,
|
||||
comparable with the types described in "man httpd_selinux" for regular CGI
|
||||
scripts (or "system scripts" as they are known in SELinux):
|
||||
The module uses the same set of SELinux types for FastCGI applications as for
|
||||
regular CGI scripts (or "system scripts" as they are known in SELinux), as
|
||||
described in "man httpd_selinux".
|
||||
|
||||
* httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)
|
||||
- Set files with httpd_fastcgi_content_t for content that is available
|
||||
* httpd_sys_content_t
|
||||
- Set files with httpd_sys_content_t for content that is available
|
||||
from all FastCGI scripts and the daemon.
|
||||
|
||||
* httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)
|
||||
- Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run
|
||||
with access to all fastcgi types.
|
||||
* httpd_sys_script_exec_t
|
||||
- Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
|
||||
with access to all system script types.
|
||||
|
||||
* httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)
|
||||
- Set files with httpd_fastcgi_script_ro_t if you want
|
||||
httpd_fastcgi_script_exec_t scripts to read the data, and disallow other
|
||||
non-fastcgi scripts from access.
|
||||
* httpd_sys_script_ro_t
|
||||
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
|
||||
scripts to read but not write the data, and disallow other processes from
|
||||
access.
|
||||
|
||||
* httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)
|
||||
- Set files with httpd_fastcgi_script_rw_t if you want
|
||||
httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow
|
||||
other non-fastcgi scripts from access.
|
||||
* httpd_sys_script_rw_t
|
||||
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
|
||||
scripts to read/write the data, and disallow other processes from access.
|
||||
|
||||
* httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)
|
||||
- Set files with httpd_fastcgi_script_ra_t if you want
|
||||
httpd_fastcgi_script_exec_t scripts to read/append to the file, and
|
||||
disallow other non-fastcgi scripts from access.
|
||||
* httpd_sys_script_ra_t
|
||||
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
|
||||
scripts to read/append to the file, and disallow other processes from
|
||||
access.
|
||||
|
||||
So for the moin wiki layout described in README.RPM of the main mod_fcgid
|
||||
package, the contexts would be set as follows:
|
||||
|
||||
cd /var/www/mywiki
|
||||
chcon -t httpd_fastcgi_content_t .
|
||||
chcon -R -t httpd_fastcgi_script_exec_t cgi-bin
|
||||
chcon -R -t httpd_fastcgi_script_rw_t data underlay
|
||||
chcon -t httpd_sys_content_t .
|
||||
chcon -R -t httpd_sys_script_exec_t cgi-bin
|
||||
chcon -R -t httpd_sys_script_rw_t data underlay
|
||||
|
||||
It is necessary to turn on the httpd_enable_cgi boolean to run either regular
|
||||
or FastCGI scripts:
|
||||
|
||||
setsebool -P httpd_enable_cgi 1
|
||||
|
||||
If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access
|
||||
each other's data. This means that you only need to set the actual FastCGI
|
||||
scripts themselves to httpd_fastcgi_script_exec_t and can leave the file
|
||||
contexts for everything else set to the "sys" types if you prefer. This is
|
||||
useful if you have a mixture of CGI and FastCGI applications accessing the
|
||||
same data.
|
||||
|
||||
The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your
|
||||
FastCGI applications can make outbound SMTP connections (e.g. moin sending
|
||||
The httpd_can_sendmail boolean is used to specify whether any of your
|
||||
web applications can make outbound SMTP connections (e.g. moin sending
|
||||
notifications). By default it is off, but can be enabled as follows:
|
||||
|
||||
setsebool -P httpd_fastcgi_can_sendmail 1
|
||||
setsebool -P httpd_can_sendmail 1
|
||||
|
||||
Only enable this functionality if you actually need it, since it increases the
|
||||
chances that any vulnerability in any of your FastCGI applications could be
|
||||
chances that any vulnerability in any of your web applications could be
|
||||
exploited by a spammer.
|
||||
|
||||
If you have any questions or issues regarding FastCGI and SELinux, please don't
|
||||
|
||||
@ -1,9 +1,11 @@
|
||||
# FC5, RHEL5 and later include SELinux policy module packages
|
||||
# Fedora 5,6,7 and EPEL5 versions includes SELinux policy module package
|
||||
# Fedora 8,9,10 versions will include policy in errata selinux-policy releases
|
||||
%if 0%{?fedora}%{?rhel} < 5
|
||||
%define selinux_module 0
|
||||
%define selinux_variants %{nil}
|
||||
%define selinux_buildreqs %{nil}
|
||||
%else
|
||||
# Temporarily build merged policy to make sure it works
|
||||
%define selinux_module 1
|
||||
%define selinux_variants mls strict targeted
|
||||
%define selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
|
||||
@ -11,7 +13,7 @@
|
||||
|
||||
Name: mod_fcgid
|
||||
Version: 2.2
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Summary: Apache2 module for high-performance server-side scripting
|
||||
Group: System Environment/Daemons
|
||||
License: GPL+
|
||||
@ -122,7 +124,7 @@ do
|
||||
/usr/sbin/semodule -s ${selinuxvariant} -i \
|
||||
%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || :
|
||||
done
|
||||
# Fix up non-standard directory context
|
||||
# Fix up non-standard directory context from earlier packages
|
||||
/sbin/restorecon -R %{_localstatedir}/run/mod_fcgid || :
|
||||
|
||||
%postun selinux
|
||||
@ -155,6 +157,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Oct 21 2008 Paul Howarth <paul@city-fan.org> 2.2-6
|
||||
- SELinux policy module rewritten to merge fastcgi and system script domains
|
||||
in preparation for merge into main selinux-policy package (#462318)
|
||||
|
||||
* Thu Jul 24 2008 Paul Howarth <paul@city-fan.org> 2.2-5
|
||||
- Tweak selinux-policy version detection macro to work with current Rawhide
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user