Update SELinux policy to fix occasional failures on restarts (move shared
memory file into /var/run/mod_fcgid directory)
This commit is contained in:
Paul Howarth
parent
407b04f705
commit
b159474f91
@ -1,7 +1,7 @@
|
||||
policy_module(fastcgi, 0.2.1)
|
||||
policy_module(fastcgi, 0.2.2)
|
||||
|
||||
type httpd_fastcgi_sock_t;
|
||||
files_type(httpd_fastcgi_sock_t)
|
||||
type httpd_fastcgi_var_run_t;
|
||||
files_type(httpd_fastcgi_var_run_t)
|
||||
|
||||
require {
|
||||
type devpts_t;
|
||||
@ -53,9 +53,10 @@ allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
|
||||
# Allow FastCGI applications to read the routing table
|
||||
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
|
||||
# Allow httpd to create and use sockets for communicating with mod_fcgid
|
||||
manage_sock_files_pattern(httpd_t,httpd_fastcgi_sock_t,httpd_fastcgi_sock_t)
|
||||
allow httpd_t httpd_fastcgi_sock_t:dir { setattr };
|
||||
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
|
||||
manage_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
|
||||
manage_sock_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
|
||||
setattr_dirs_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
|
||||
|
||||
# Allow httpd to read httpd_fastcgi_content_t
|
||||
allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
|
||||
@ -66,11 +67,9 @@ read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
|
||||
# sockets and respond to them
|
||||
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
|
||||
# FastCGI application doing something to the httpd error log
|
||||
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
|
||||
|
||||
# Not sure what this is doing (happens when fastcgi scripts start)
|
||||
# These are probably leaked file descriptors
|
||||
dontaudit httpd_t devpts_t:chr_file ioctl;
|
||||
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
|
||||
|
||||
# ======================================================
|
||||
# Equivalent policy cribbed from httpd_sys_script_t
|
||||
|
||||
@ -1 +1 @@
|
||||
/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_fastcgi_sock_t,s0)
|
||||
/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_fastcgi_var_run_t,s0)
|
||||
|
||||
19
fastcgi.te
19
fastcgi.te
@ -1,7 +1,7 @@
|
||||
policy_module(fastcgi, 0.1.8)
|
||||
policy_module(fastcgi, 0.1.9)
|
||||
|
||||
type httpd_fastcgi_sock_t;
|
||||
files_type(httpd_fastcgi_sock_t)
|
||||
type httpd_fastcgi_var_run_t;
|
||||
files_type(httpd_fastcgi_var_run_t)
|
||||
|
||||
require {
|
||||
type devpts_t;
|
||||
@ -42,9 +42,10 @@ allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
|
||||
# Allow FastCGI applications to read the routing table
|
||||
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
|
||||
# Allow httpd to create and use sockets for communicating with mod_fcgid
|
||||
allow httpd_t httpd_fastcgi_sock_t:dir { rw_dir_perms setattr };
|
||||
allow httpd_t httpd_fastcgi_sock_t:sock_file { create_file_perms };
|
||||
# Allow httpd to create and use files and sockets for communicating with mod_fcgid
|
||||
allow httpd_t httpd_fastcgi_var_run_t:dir { rw_dir_perms setattr };
|
||||
allow httpd_t httpd_fastcgi_var_run_t:file { create_file_perms };
|
||||
allow httpd_t httpd_fastcgi_var_run_t:sock_file { create_file_perms };
|
||||
|
||||
# Allow httpd to read httpd_fastcgi_content_t
|
||||
# (shouldn't this be in the content template?)
|
||||
@ -56,11 +57,9 @@ allow httpd_t httpd_fastcgi_content_t:lnk_file { getattr read };
|
||||
# sockets and respond to them
|
||||
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
|
||||
|
||||
# FastCGI application doing something to the httpd error log
|
||||
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
|
||||
|
||||
# Not sure what this is doing (happens when fastcgi scripts start)
|
||||
# These are probably leaked file descriptors
|
||||
dontaudit httpd_t devpts_t:chr_file ioctl;
|
||||
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
|
||||
|
||||
# ======================================================
|
||||
# Equivalent policy cribbed from httpd_sys_script_t
|
||||
|
||||
@ -13,4 +13,4 @@ LoadModule fcgid_module modules/mod_fcgid.so
|
||||
|
||||
# Sane place to put sockets and shared memory file
|
||||
SocketPath run/mod_fcgid
|
||||
SharememPath run/fcgid_shm
|
||||
SharememPath run/mod_fcgid/fcgid_shm
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
|
||||
Name: mod_fcgid
|
||||
Version: 2.2
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: Apache2 module for high-performance server-side scripting
|
||||
Group: System Environment/Daemons
|
||||
License: GPL+
|
||||
@ -125,7 +125,7 @@ do
|
||||
%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || :
|
||||
done
|
||||
# Fix up non-standard directory context
|
||||
/sbin/restorecon %{_localstatedir}/run/mod_fcgid || :
|
||||
/sbin/restorecon -R %{_localstatedir}/run/mod_fcgid || :
|
||||
|
||||
%postun selinux
|
||||
# Clean up after package removal
|
||||
@ -157,6 +157,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jan 14 2008 Paul Howarth <paul@city-fan.org> 2.2-3
|
||||
- Update SELinux policy to fix occasional failures on restarts
|
||||
(move shared memory file into /var/run/mod_fcgid directory)
|
||||
|
||||
* Thu Jan 3 2008 Paul Howarth <paul@city-fan.org> 2.2-2
|
||||
- Update SELinux policy to support file transition to httpd_tmp_t for
|
||||
temporary files
|
||||
|
||||
Loading…
Reference in New Issue
Block a user