Include the right README* files (pesky common filenames...)
This commit is contained in:
Paul Howarth
parent
dbeb0027f8
commit
d69dca6268
@ -65,65 +65,3 @@ CGI application.
|
||||
service httpd restart
|
||||
|
||||
That should do it!
|
||||
|
||||
mod_fcgid with SELinux
|
||||
======================
|
||||
|
||||
Versions of this package built for Fedora Core 5 or later include an SELinux
|
||||
policy module to support FastCGI applications. Again, this has only been tested
|
||||
with moin, so feedback from other applications is welcome. The intention is for
|
||||
this module to be included in the SELinux reference policy eventually.
|
||||
|
||||
The module source (fastcgi.{fc,te}) is included for reference as documentation
|
||||
in the package.
|
||||
|
||||
The module introduces a new set of SELinux types for FastCGI applications,
|
||||
comparable with the types described in "man httpd_selinux" for regular CGI
|
||||
scripts (or "system scripts" as they are known in SELinux):
|
||||
|
||||
* httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)
|
||||
- Set files with httpd_fastcgi_content_t for content that is available
|
||||
from all FastCGI scripts and the daemon.
|
||||
|
||||
* httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)
|
||||
- Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run
|
||||
with access to all fastcgi types.
|
||||
|
||||
* httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)
|
||||
- Set files with httpd_fastcgi_script_ro_t if you want
|
||||
httpd_fastcgi_script_exec_t scripts to read the data, and disallow other
|
||||
non-fastcgi scripts from access.
|
||||
|
||||
* httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)
|
||||
- Set files with httpd_fastcgi_script_rw_t if you want
|
||||
httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow
|
||||
other non-fastcgi scripts from access.
|
||||
|
||||
* httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)
|
||||
- Set files with httpd_fastcgi_script_ra_t if you want
|
||||
httpd_fastcgi_script_exec_t scripts to read/append to the file, and
|
||||
disallow other non-fastcgi scripts from access.
|
||||
|
||||
So for the moin wiki layout described above, the contexts would be set as
|
||||
follows:
|
||||
|
||||
cd /var/www/mywiki
|
||||
chcon -t httpd_fastcgi_content_t .
|
||||
chcon -R -t httpd_fastcgi_script_exec_t cgi-bin
|
||||
chcon -R -t httpd_fastcgi_script_rw_t data underlay
|
||||
|
||||
It is necessary to turn on the httpd_enable_cgi boolean to run either regular
|
||||
or FastCGI scripts:
|
||||
|
||||
setsebool -P httpd_enable_cgi 1
|
||||
|
||||
If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access
|
||||
each other's data. This means that you only need to set the actual FastCGI
|
||||
scripts themselves to httpd_fastcgi_script_exec_t and can leave the file
|
||||
contexts for everything else set to the "sys" types if you prefer. This is
|
||||
useful if you have a mixture of CGI and FastCGI applications accessing the
|
||||
same data.
|
||||
|
||||
If you have any questions or issues regarding FastCGI and SELinux, please don't
|
||||
hesitate to bring them up on fedora-selinux-list.
|
||||
|
||||
|
||||
@ -1,48 +1,61 @@
|
||||
CONFIGURING SELINUX FOR CONTAGGED
|
||||
=================================
|
||||
Using mod_fcgid with SELinux in Fedora Core 5 onwards
|
||||
=====================================================
|
||||
|
||||
The contagged RPM package for Fedora Core 5 and later includes a policy module
|
||||
that ensures that all files required by the application get the correct
|
||||
SELinux file contexts.
|
||||
Versions of this package built for Fedora Core 5 or later include an SELinux
|
||||
policy module to support FastCGI applications. This has only been tested so far
|
||||
with moin, so feedback from other applications is welcome. The intention is for
|
||||
this module to be included in the SELinux reference policy eventually.
|
||||
|
||||
However, there are a few SELinux booleans you need to set in order to use
|
||||
contagged:
|
||||
The module source (fastcgi.{fc,te}) is included for reference as documentation
|
||||
in the package.
|
||||
|
||||
# setsebool -P httpd_builtin_scripting 1
|
||||
# setsebool -P httpd_enable_cgi 1
|
||||
# setsebool -P httpd_unified 1
|
||||
The module introduces a new set of SELinux types for FastCGI applications,
|
||||
comparable with the types described in "man httpd_selinux" for regular CGI
|
||||
scripts (or "system scripts" as they are known in SELinux):
|
||||
|
||||
It is necessary to set these booleans because contagged is a PHP application.
|
||||
It is not necessary to set the httpd_can_network_connect boolean because the
|
||||
web server is allowed to connect to LDAP servers by default.
|
||||
* httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)
|
||||
- Set files with httpd_fastcgi_content_t for content that is available
|
||||
from all FastCGI scripts and the daemon.
|
||||
|
||||
If you are using an older distribution that does not support SELinux policy
|
||||
modules, you will need to set the file contexts manually:
|
||||
* httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)
|
||||
- Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run
|
||||
with access to all fastcgi types.
|
||||
|
||||
# chcon -R -t httpd_cache_t /var/cache/contagged
|
||||
* httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)
|
||||
- Set files with httpd_fastcgi_script_ro_t if you want
|
||||
httpd_fastcgi_script_exec_t scripts to read the data, and disallow other
|
||||
non-fastcgi scripts from access.
|
||||
|
||||
You will need to repeat this step if the filesystem is relabelled.
|
||||
* httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)
|
||||
- Set files with httpd_fastcgi_script_rw_t if you want
|
||||
httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow
|
||||
other non-fastcgi scripts from access.
|
||||
|
||||
Once the configuration is set up as required, restart httpd:
|
||||
* httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)
|
||||
- Set files with httpd_fastcgi_script_ra_t if you want
|
||||
httpd_fastcgi_script_exec_t scripts to read/append to the file, and
|
||||
disallow other non-fastcgi scripts from access.
|
||||
|
||||
# service httpd restart
|
||||
So for the moin wiki layout described in README.Fedora of the main mod_fcgid
|
||||
package, the contexts would be set as follows:
|
||||
|
||||
ABOUT THE PACKAGE
|
||||
=================
|
||||
cd /var/www/mywiki
|
||||
chcon -t httpd_fastcgi_content_t .
|
||||
chcon -R -t httpd_fastcgi_script_exec_t cgi-bin
|
||||
chcon -R -t httpd_fastcgi_script_rw_t data underlay
|
||||
|
||||
One of the reasons for building this package was to provide an example of how
|
||||
to include a custom SELinux policy module with an RPM package. It's unfortunate
|
||||
that the kludge of having to use restorecon in the post-install script is
|
||||
required but updates to rpm will be necessary before that can be avoided - see:
|
||||
http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00098.html
|
||||
It is necessary to turn on the httpd_enable_cgi boolean to run either regular
|
||||
or FastCGI scripts:
|
||||
|
||||
An alternative approach (instead of using a loadable policy module) that some
|
||||
people have taken, particularly where the only required policy customisation is
|
||||
for file contexts, is to use semanage to add additional fcontext objects to the
|
||||
running policy. A significant disadvantage of this approach is that it's harder
|
||||
to manage future changes to policy, since all later versions of a package must
|
||||
be able to "undo" the policy fixes (e.g. remove fcontext objects) set up by all
|
||||
earlier versions of the package if there are changes to policy in later
|
||||
versions. Using policy modules makes this very easy, since semodule handles the
|
||||
upgrades very neatly (modules have version numbers).
|
||||
setsebool -P httpd_enable_cgi 1
|
||||
|
||||
If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access
|
||||
each other's data. This means that you only need to set the actual FastCGI
|
||||
scripts themselves to httpd_fastcgi_script_exec_t and can leave the file
|
||||
contexts for everything else set to the "sys" types if you prefer. This is
|
||||
useful if you have a mixture of CGI and FastCGI applications accessing the
|
||||
same data.
|
||||
|
||||
If you have any questions or issues regarding FastCGI and SELinux, please don't
|
||||
hesitate to bring them up on fedora-selinux-list.
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
|
||||
Name: mod_fcgid
|
||||
Version: 1.10
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: Apache2 module for high-performance server-side scripting
|
||||
Group: System Environment/Daemons
|
||||
License: GPL
|
||||
@ -144,6 +144,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Sep 6 2006 Paul Howarth <paul@city-fan.org> 1.10-7
|
||||
- Include the right README* files
|
||||
|
||||
* Tue Aug 29 2006 Paul Howarth <paul@city-fan.org> 1.10-6
|
||||
- Buildreqs for FC5 now identical to buildreqs for FC6 onwards
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user