From ab94cf9fd06398c6ac882e16f437235c29c44b28 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 22 Oct 2008 10:31:34 +0000 Subject: [PATCH] Merge fastcgi SELinux policy with system script policy --- fastcgi-2.5.te | 192 ++++++++++++++++++----------------- fastcgi.fc | 2 +- fastcgi.te | 147 +++++++++++++++------------ mod_fcgid-2.1-README.SELinux | 65 ++++++------ mod_fcgid.spec | 12 ++- 5 files changed, 220 insertions(+), 198 deletions(-) diff --git a/fastcgi-2.5.te b/fastcgi-2.5.te index 9778b8f..6f95d7a 100644 --- a/fastcgi-2.5.te +++ b/fastcgi-2.5.te @@ -1,131 +1,137 @@ -policy_module(fastcgi, 0.2.2) +# This policy module provides support for mod_fcgid using the httpd system script domain. +# It provides "allow" rules that will overlap to varying degrees with selinux-policy +# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included +# as updates for selinux-policy in Fedora 8, 9, and 10. +# +# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, +# which is now an alias for httpd_sys_script_t. -type httpd_fastcgi_var_run_t; -files_type(httpd_fastcgi_var_run_t) +policy_module(fastcgi, 0.2.6) require { type devpts_t; type httpd_t; type httpd_config_t; type httpd_log_t; - type httpd_sys_script_exec_t; type httpd_sys_content_t; + type httpd_sys_content_ra_t; + type httpd_sys_content_ro_t; + type httpd_sys_content_rw_t; + type httpd_sys_script_exec_t; + type httpd_sys_script_ra_t; + type httpd_sys_script_ro_t; + type httpd_sys_script_rw_t; + type httpd_sys_script_t; type httpd_tmp_t; + type httpd_var_run_t; }; +# Type aliases for contexts used with older policy modules +typealias httpd_sys_content_t alias httpd_fastcgi_content_t; +typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t; +typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t; +typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; +typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + + # ========================================================== -# Create and use httpd_fastcgi_script_t for mod_fcgid apps +# Re-use httpd_sys_script_t for mod_fcgid apps # ========================================================== -apache_content_template(fastcgi) -kernel_read_kernel_sysctls(httpd_fastcgi_script_t) - -## -##

-## Allow FastCGI applications to write to public content -##

-## -gen_tunable(allow_httpd_fastcgi_script_anon_write,false) - -## -##

-## Allow FastCGI applications to make outbound SMTP connections -##

-## -gen_tunable(httpd_fastcgi_can_sendmail,false) - -tunable_policy(`allow_httpd_fastcgi_script_anon_write',` - miscfiles_manage_public_files(httpd_fastcgi_script_t) -') - -tunable_policy(`httpd_fastcgi_can_sendmail',` - corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t) - corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t) -') +# Included in selinux-policy 2.6.4 (F7) +#kernel_read_kernel_sysctls(httpd_sys_script_t) # Allow FastCGI applications to do DNS lookups -sysnet_dns_name_resolve(httpd_fastcgi_script_t) - -# Allow FastCGI applications to live alongside regular CGI apps -allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms }; -allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms }; +sysnet_dns_name_resolve(httpd_sys_script_t) # Allow FastCGI applications to read the routing table -allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms }; +allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms }; # Allow httpd to create and use files and sockets for communicating with mod_fcgid -manage_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t) -manage_sock_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t) -setattr_dirs_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t) +# Included in selinux-policy 2.6.4 (F7) apart from dir setattr +#manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) +#manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) +setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) -# Allow httpd to read httpd_fastcgi_content_t -allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms; -read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t) -read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t) +# Allow httpd to read httpd_sys_content_t +# Included in selinux-policy 2.6.4 (F7) +#allow httpd_t httpd_sys_content_t:dir list_dir_perms; +#read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) +#read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) # Allow FastCGI applications to listen for FastCGI requests on their # sockets and respond to them -allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; +allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; # These are probably leaked file descriptors dontaudit httpd_t devpts_t:chr_file ioctl; -dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl; +dontaudit httpd_sys_script_t httpd_log_t:file ioctl; # ====================================================== -# Equivalent policy cribbed from httpd_sys_script_t +# Rules cribbed from recent httpd_sys_script_t policy # ====================================================== -dontaudit httpd_fastcgi_script_t httpd_config_t:dir search; - -fs_search_auto_mountpoints(httpd_fastcgi_script_t) +# Included in selinux-policy 2.6.4 (F7) +#dontaudit httpd_sys_script_t httpd_config_t:dir search; +# +#fs_search_auto_mountpoints(httpd_sys_script_t) # PHP uploads a file to /tmp and then execs programs to action them -manage_dirs_pattern(httpd_fastcgi_script_t,httpd_tmp_t,httpd_tmp_t) -manage_files_pattern(httpd_fastcgi_script_t,httpd_tmp_t,httpd_tmp_t) -files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file }) +# Included in selinux-policy 2.6.4 (F7) apart from filetrans +#manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) +#manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) +files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) -files_search_var_lib(httpd_fastcgi_script_t) -files_search_spool(httpd_fastcgi_script_t) +# Included in selinux-policy 2.6.4 (F7) +#files_search_var_lib(httpd_sys_script_t) +#files_search_spool(httpd_sys_script_t) # Should we add a boolean? -apache_domtrans_rotatelogs(httpd_fastcgi_script_t) +# Included in selinux-policy 2.6.4 (F7) +#apache_domtrans_rotatelogs(httpd_sys_script_t) -ifdef(`distro_redhat',` - allow httpd_fastcgi_script_t httpd_log_t:file { getattr append }; -') - -ifdef(`targeted_policy',` - tunable_policy(`httpd_enable_homedirs',` - userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t) - ') -') - -tunable_policy(`httpd_use_nfs', ` - fs_read_nfs_files(httpd_fastcgi_script_t) - fs_read_nfs_symlinks(httpd_fastcgi_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_fastcgi_script_t) - fs_read_nfs_symlinks(httpd_fastcgi_script_t) -') - -tunable_policy(`httpd_use_cifs', ` - fs_read_cifs_files(httpd_fastcgi_script_t) - fs_read_cifs_symlinks(httpd_fastcgi_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_fastcgi_script_t) - fs_read_cifs_symlinks(httpd_fastcgi_script_t) -') - -optional_policy(` - mysql_stream_connect(httpd_fastcgi_script_t) - mysql_rw_db_sockets(httpd_fastcgi_script_t) -') - -optional_policy(` - clamav_domtrans_clamscan(httpd_fastcgi_script_t) -') +# Included in selinux-policy 2.6.4 (F7) +#ifdef(`distro_redhat',` +# allow httpd_sys_script_t httpd_log_t:file { getattr append }; +#') +# +#ifdef(`targeted_policy',` +# tunable_policy(`httpd_enable_homedirs',` +# userdom_search_generic_user_home_dirs(httpd_sys_script_t) +# ') +#') +# +#tunable_policy(`httpd_use_nfs', ` +# fs_read_nfs_files(httpd_sys_script_t) +# fs_read_nfs_symlinks(httpd_sys_script_t) +#') +# +#tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +# fs_read_nfs_files(httpd_sys_script_t) +# fs_read_nfs_symlinks(httpd_sys_script_t) +#') +# +#tunable_policy(`httpd_use_cifs', ` +# fs_read_cifs_files(httpd_sys_script_t) +# fs_read_cifs_symlinks(httpd_sys_script_t) +#') +# +#tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +# fs_read_cifs_files(httpd_sys_script_t) +# fs_read_cifs_symlinks(httpd_sys_script_t) +#') +# +#optional_policy(` +# mysql_stream_connect(httpd_sys_script_t) +# mysql_rw_db_sockets(httpd_sys_script_t) +#') +# +#optional_policy(` +# clamav_domtrans_clamscan(httpd_sys_script_t) +#') diff --git a/fastcgi.fc b/fastcgi.fc index bb97dfb..2006d97 100644 --- a/fastcgi.fc +++ b/fastcgi.fc @@ -1 +1 @@ -/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_fastcgi_var_run_t,s0) +/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/fastcgi.te b/fastcgi.te index 9d5fb37..b16cc87 100644 --- a/fastcgi.te +++ b/fastcgi.te @@ -1,111 +1,128 @@ -policy_module(fastcgi, 0.1.9) +policy_module(fastcgi, 0.1.10) -type httpd_fastcgi_var_run_t; -files_type(httpd_fastcgi_var_run_t) +# This policy module provides support for mod_fcgid using the httpd system script domain. +# It provides "allow" rules that will overlap to varying degrees with selinux-policy +# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included +# as updates for selinux-policy in Fedora 8, 9, and 10. +# +# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, +# which is now an alias for httpd_sys_script_t. require { type devpts_t; type httpd_t; - type httpd_config_t; + #type httpd_config_t; type httpd_log_t; - type httpd_sys_script_exec_t; type httpd_sys_content_t; + type httpd_sys_content_ra_t; + type httpd_sys_content_ro_t; + type httpd_sys_content_rw_t; + type httpd_sys_script_exec_t; + type httpd_sys_script_ra_t; + type httpd_sys_script_ro_t; + type httpd_sys_script_rw_t; + type httpd_sys_script_t; type httpd_tmp_t; + type httpd_var_run_t; }; +# Type aliases for contexts used with older policy modules +typealias httpd_sys_content_t alias httpd_fastcgi_content_t; +typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t; +typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t; +typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; +typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + # ========================================================== -# Create and use httpd_fastcgi_script_t for mod_fcgid apps +# Re-use httpd_sys_script_t for mod_fcgid apps # ========================================================== -apache_content_template(fastcgi) -kernel_read_kernel_sysctls(httpd_fastcgi_script_t) - -## -##

-## Allow FastCGI applications to make outbound SMTP connections -##

-## -gen_tunable(httpd_fastcgi_can_sendmail,false) - -tunable_policy(`httpd_fastcgi_can_sendmail',` - corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t) - corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t) -') +# Included in selinux-policy 2.3.7 (FC5) +#kernel_read_kernel_sysctls(httpd_sys_script_t) # Allow FastCGI applications to do DNS lookups -sysnet_dns_name_resolve(httpd_fastcgi_script_t) - -# Allow FastCGI applications to live alongside regular CGI apps -allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms }; -allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms }; +sysnet_dns_name_resolve(httpd_sys_script_t) # Allow FastCGI applications to read the routing table -allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms }; +allow httpd_sys_script_t self:netlink_route_socket { r_netlink_socket_perms }; # Allow httpd to create and use files and sockets for communicating with mod_fcgid -allow httpd_t httpd_fastcgi_var_run_t:dir { rw_dir_perms setattr }; -allow httpd_t httpd_fastcgi_var_run_t:file { create_file_perms }; -allow httpd_t httpd_fastcgi_var_run_t:sock_file { create_file_perms }; +# Included in selinux-policy 2.3.7 (FC5) apart from dir setattr +#allow httpd_t httpd_var_run_t:dir { rw_dir_perms setattr }; +#allow httpd_t httpd_var_run_t:file { create_file_perms }; +#allow httpd_t httpd_var_run_t:sock_file { create_file_perms }; +allow httpd_t httpd_var_run_t:dir setattr; -# Allow httpd to read httpd_fastcgi_content_t +# Allow httpd to read httpd_sys_content_t # (shouldn't this be in the content template?) -allow httpd_t httpd_fastcgi_content_t:dir r_dir_perms; -allow httpd_t httpd_fastcgi_content_t:file r_file_perms; -allow httpd_t httpd_fastcgi_content_t:lnk_file { getattr read }; +# Included in selinux-policy 2.3.7 (FC5) +#allow httpd_t httpd_sys_content_t:dir r_dir_perms; +#allow httpd_t httpd_sys_content_t:file r_file_perms; +#allow httpd_t httpd_sys_content_t:lnk_file { getattr read }; # Allow FastCGI applications to listen for FastCGI requests on their # sockets and respond to them -allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; +allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; # These are probably leaked file descriptors dontaudit httpd_t devpts_t:chr_file ioctl; -dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl; +dontaudit httpd_sys_script_t httpd_log_t:file ioctl; # ====================================================== -# Equivalent policy cribbed from httpd_sys_script_t +# Rules cribbed from recent httpd_sys_script_t policy # ====================================================== -dontaudit httpd_fastcgi_script_t httpd_config_t:dir search; +# Included in selinux-policy 2.3.7 (FC5) +#dontaudit httpd_sys_script_t httpd_config_t:dir search; -fs_search_auto_mountpoints(httpd_fastcgi_script_t) +fs_search_auto_mountpoints(httpd_sys_script_t) # PHP uploads a file to /tmp and then execs programs to action them -allow httpd_fastcgi_script_t httpd_tmp_t:dir manage_dir_perms; -allow httpd_fastcgi_script_t httpd_tmp_t:file manage_file_perms; -files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file }) +allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms; +allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms; +files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) -files_search_var_lib(httpd_fastcgi_script_t) -files_search_spool(httpd_fastcgi_script_t) +# Included in selinux-policy 2.3.7 (FC5) +#files_search_var_lib(httpd_sys_script_t) +#files_search_spool(httpd_sys_script_t) # Should we add a boolean? -apache_domtrans_rotatelogs(httpd_fastcgi_script_t) +# Included in selinux-policy 2.3.7 (FC5) +#apache_domtrans_rotatelogs(httpd_sys_script_t) -ifdef(`distro_redhat',` - allow httpd_fastcgi_script_t httpd_log_t:file { getattr append }; -') - -ifdef(`targeted_policy',` - tunable_policy(`httpd_enable_homedirs',` - userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t) - ') -') +# Included in selinux-policy 2.3.7 (FC5) +#ifdef(`distro_redhat',` +# allow httpd_sys_script_t httpd_log_t:file { getattr append }; +#') +# +#ifdef(`targeted_policy',` +# tunable_policy(`httpd_enable_homedirs',` +# userdom_search_generic_user_home_dirs(httpd_sys_script_t) +# ') +#') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_fastcgi_script_t) - fs_read_nfs_symlinks(httpd_fastcgi_script_t) + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) ') tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_fastcgi_script_t) - fs_read_cifs_symlinks(httpd_fastcgi_script_t) + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) ') -optional_policy(` - mysql_stream_connect(httpd_fastcgi_script_t) - mysql_rw_db_sockets(httpd_fastcgi_script_t) -') - -optional_policy(` - clamav_domtrans_clamscan(httpd_fastcgi_script_t) -') +# Included in selinux-policy 2.3.7 (FC5) +#optional_policy(` +# mysql_stream_connect(httpd_sys_script_t) +# mysql_rw_db_sockets(httpd_sys_script_t) +#') +# +#optional_policy(` +# clamav_domtrans_clamscan(httpd_sys_script_t) +#') diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux index d2f0c9c..5165376 100644 --- a/mod_fcgid-2.1-README.SELinux +++ b/mod_fcgid-2.1-README.SELinux @@ -4,67 +4,60 @@ Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5 or later include an SELinux policy module to support FastCGI applications. This has only been tested so far with moin, so feedback from other applications -is welcome. The intention is for this module to be included in the SELinux -reference policy eventually. +is welcome. The policy included here is a transitional policy that will soon +be included in the selinux-policy package for Fedora 8 onwards, and the +mod_fcgid-selinux package will be obsoleted when that happens. The module source (fastcgi.{fc,te}) is included for reference as documentation in the package. -The module introduces a new set of SELinux types for FastCGI applications, -comparable with the types described in "man httpd_selinux" for regular CGI -scripts (or "system scripts" as they are known in SELinux): +The module uses the same set of SELinux types for FastCGI applications as for +regular CGI scripts (or "system scripts" as they are known in SELinux), as +described in "man httpd_selinux". - * httpd_fastcgi_content_t (equivalent to httpd_sys_content_t) - - Set files with httpd_fastcgi_content_t for content that is available + * httpd_sys_content_t + - Set files with httpd_sys_content_t for content that is available from all FastCGI scripts and the daemon. - * httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t) - - Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run - with access to all fastcgi types. + * httpd_sys_script_exec_t + - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run + with access to all system script types. - * httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t) - - Set files with httpd_fastcgi_script_ro_t if you want - httpd_fastcgi_script_exec_t scripts to read the data, and disallow other - non-fastcgi scripts from access. + * httpd_sys_script_ro_t + - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t + scripts to read but not write the data, and disallow other processes from + access. - * httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t) - - Set files with httpd_fastcgi_script_rw_t if you want - httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow - other non-fastcgi scripts from access. + * httpd_sys_script_rw_t + - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t + scripts to read/write the data, and disallow other processes from access. - * httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t) - - Set files with httpd_fastcgi_script_ra_t if you want - httpd_fastcgi_script_exec_t scripts to read/append to the file, and - disallow other non-fastcgi scripts from access. + * httpd_sys_script_ra_t + - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t + scripts to read/append to the file, and disallow other processes from + access. So for the moin wiki layout described in README.RPM of the main mod_fcgid package, the contexts would be set as follows: cd /var/www/mywiki - chcon -t httpd_fastcgi_content_t . - chcon -R -t httpd_fastcgi_script_exec_t cgi-bin - chcon -R -t httpd_fastcgi_script_rw_t data underlay + chcon -t httpd_sys_content_t . + chcon -R -t httpd_sys_script_exec_t cgi-bin + chcon -R -t httpd_sys_script_rw_t data underlay It is necessary to turn on the httpd_enable_cgi boolean to run either regular or FastCGI scripts: setsebool -P httpd_enable_cgi 1 -If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access -each other's data. This means that you only need to set the actual FastCGI -scripts themselves to httpd_fastcgi_script_exec_t and can leave the file -contexts for everything else set to the "sys" types if you prefer. This is -useful if you have a mixture of CGI and FastCGI applications accessing the -same data. - -The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your -FastCGI applications can make outbound SMTP connections (e.g. moin sending +The httpd_can_sendmail boolean is used to specify whether any of your +web applications can make outbound SMTP connections (e.g. moin sending notifications). By default it is off, but can be enabled as follows: - setsebool -P httpd_fastcgi_can_sendmail 1 + setsebool -P httpd_can_sendmail 1 Only enable this functionality if you actually need it, since it increases the -chances that any vulnerability in any of your FastCGI applications could be +chances that any vulnerability in any of your web applications could be exploited by a spammer. If you have any questions or issues regarding FastCGI and SELinux, please don't diff --git a/mod_fcgid.spec b/mod_fcgid.spec index f9b56e0..2cf44c4 100644 --- a/mod_fcgid.spec +++ b/mod_fcgid.spec @@ -1,9 +1,11 @@ -# FC5, RHEL5 and later include SELinux policy module packages +# Fedora 5,6,7 and EPEL5 versions includes SELinux policy module package +# Fedora 8,9,10 versions will include policy in errata selinux-policy releases %if 0%{?fedora}%{?rhel} < 5 %define selinux_module 0 %define selinux_variants %{nil} %define selinux_buildreqs %{nil} %else +# Temporarily build merged policy to make sure it works %define selinux_module 1 %define selinux_variants mls strict targeted %define selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink @@ -11,7 +13,7 @@ Name: mod_fcgid Version: 2.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Apache2 module for high-performance server-side scripting Group: System Environment/Daemons License: GPL+ @@ -122,7 +124,7 @@ do /usr/sbin/semodule -s ${selinuxvariant} -i \ %{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || : done -# Fix up non-standard directory context +# Fix up non-standard directory context from earlier packages /sbin/restorecon -R %{_localstatedir}/run/mod_fcgid || : %postun selinux @@ -155,6 +157,10 @@ exit 0 %endif %changelog +* Tue Oct 21 2008 Paul Howarth 2.2-6 +- SELinux policy module rewritten to merge fastcgi and system script domains + in preparation for merge into main selinux-policy package (#462318) + * Thu Jul 24 2008 Paul Howarth 2.2-5 - Tweak selinux-policy version detection macro to work with current Rawhide