From d69dca6268bf166f42d04778bd36dd2da12aedc5 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 6 Sep 2006 13:47:08 +0000 Subject: [PATCH] Include the right README* files (pesky common filenames...) --- README.Fedora | 62 ------------------------------------- README.SELinux | 83 +++++++++++++++++++++++++++++--------------------- mod_fcgid.spec | 5 ++- 3 files changed, 52 insertions(+), 98 deletions(-) diff --git a/README.Fedora b/README.Fedora index 37c7c27..a5f9dc4 100644 --- a/README.Fedora +++ b/README.Fedora @@ -65,65 +65,3 @@ CGI application. service httpd restart That should do it! - -mod_fcgid with SELinux -====================== - -Versions of this package built for Fedora Core 5 or later include an SELinux -policy module to support FastCGI applications. Again, this has only been tested -with moin, so feedback from other applications is welcome. The intention is for -this module to be included in the SELinux reference policy eventually. - -The module source (fastcgi.{fc,te}) is included for reference as documentation -in the package. - -The module introduces a new set of SELinux types for FastCGI applications, -comparable with the types described in "man httpd_selinux" for regular CGI -scripts (or "system scripts" as they are known in SELinux): - - * httpd_fastcgi_content_t (equivalent to httpd_sys_content_t) - - Set files with httpd_fastcgi_content_t for content that is available - from all FastCGI scripts and the daemon. - - * httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t) - - Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run - with access to all fastcgi types. - - * httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t) - - Set files with httpd_fastcgi_script_ro_t if you want - httpd_fastcgi_script_exec_t scripts to read the data, and disallow other - non-fastcgi scripts from access. - - * httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t) - - Set files with httpd_fastcgi_script_rw_t if you want - httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow - other non-fastcgi scripts from access. - - * httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t) - - Set files with httpd_fastcgi_script_ra_t if you want - httpd_fastcgi_script_exec_t scripts to read/append to the file, and - disallow other non-fastcgi scripts from access. - -So for the moin wiki layout described above, the contexts would be set as -follows: - - cd /var/www/mywiki - chcon -t httpd_fastcgi_content_t . - chcon -R -t httpd_fastcgi_script_exec_t cgi-bin - chcon -R -t httpd_fastcgi_script_rw_t data underlay - -It is necessary to turn on the httpd_enable_cgi boolean to run either regular -or FastCGI scripts: - - setsebool -P httpd_enable_cgi 1 - -If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access -each other's data. This means that you only need to set the actual FastCGI -scripts themselves to httpd_fastcgi_script_exec_t and can leave the file -contexts for everything else set to the "sys" types if you prefer. This is -useful if you have a mixture of CGI and FastCGI applications accessing the -same data. - -If you have any questions or issues regarding FastCGI and SELinux, please don't -hesitate to bring them up on fedora-selinux-list. - diff --git a/README.SELinux b/README.SELinux index 29d03b1..402620c 100644 --- a/README.SELinux +++ b/README.SELinux @@ -1,48 +1,61 @@ -CONFIGURING SELINUX FOR CONTAGGED -================================= +Using mod_fcgid with SELinux in Fedora Core 5 onwards +===================================================== -The contagged RPM package for Fedora Core 5 and later includes a policy module -that ensures that all files required by the application get the correct -SELinux file contexts. +Versions of this package built for Fedora Core 5 or later include an SELinux +policy module to support FastCGI applications. This has only been tested so far +with moin, so feedback from other applications is welcome. The intention is for +this module to be included in the SELinux reference policy eventually. -However, there are a few SELinux booleans you need to set in order to use -contagged: +The module source (fastcgi.{fc,te}) is included for reference as documentation +in the package. -# setsebool -P httpd_builtin_scripting 1 -# setsebool -P httpd_enable_cgi 1 -# setsebool -P httpd_unified 1 +The module introduces a new set of SELinux types for FastCGI applications, +comparable with the types described in "man httpd_selinux" for regular CGI +scripts (or "system scripts" as they are known in SELinux): -It is necessary to set these booleans because contagged is a PHP application. -It is not necessary to set the httpd_can_network_connect boolean because the -web server is allowed to connect to LDAP servers by default. + * httpd_fastcgi_content_t (equivalent to httpd_sys_content_t) + - Set files with httpd_fastcgi_content_t for content that is available + from all FastCGI scripts and the daemon. -If you are using an older distribution that does not support SELinux policy -modules, you will need to set the file contexts manually: + * httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t) + - Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run + with access to all fastcgi types. -# chcon -R -t httpd_cache_t /var/cache/contagged + * httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t) + - Set files with httpd_fastcgi_script_ro_t if you want + httpd_fastcgi_script_exec_t scripts to read the data, and disallow other + non-fastcgi scripts from access. -You will need to repeat this step if the filesystem is relabelled. + * httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t) + - Set files with httpd_fastcgi_script_rw_t if you want + httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow + other non-fastcgi scripts from access. -Once the configuration is set up as required, restart httpd: + * httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t) + - Set files with httpd_fastcgi_script_ra_t if you want + httpd_fastcgi_script_exec_t scripts to read/append to the file, and + disallow other non-fastcgi scripts from access. -# service httpd restart +So for the moin wiki layout described in README.Fedora of the main mod_fcgid +package, the contexts would be set as follows: -ABOUT THE PACKAGE -================= + cd /var/www/mywiki + chcon -t httpd_fastcgi_content_t . + chcon -R -t httpd_fastcgi_script_exec_t cgi-bin + chcon -R -t httpd_fastcgi_script_rw_t data underlay -One of the reasons for building this package was to provide an example of how -to include a custom SELinux policy module with an RPM package. It's unfortunate -that the kludge of having to use restorecon in the post-install script is -required but updates to rpm will be necessary before that can be avoided - see: -http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00098.html +It is necessary to turn on the httpd_enable_cgi boolean to run either regular +or FastCGI scripts: -An alternative approach (instead of using a loadable policy module) that some -people have taken, particularly where the only required policy customisation is -for file contexts, is to use semanage to add additional fcontext objects to the -running policy. A significant disadvantage of this approach is that it's harder -to manage future changes to policy, since all later versions of a package must -be able to "undo" the policy fixes (e.g. remove fcontext objects) set up by all -earlier versions of the package if there are changes to policy in later -versions. Using policy modules makes this very easy, since semodule handles the -upgrades very neatly (modules have version numbers). + setsebool -P httpd_enable_cgi 1 + +If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access +each other's data. This means that you only need to set the actual FastCGI +scripts themselves to httpd_fastcgi_script_exec_t and can leave the file +contexts for everything else set to the "sys" types if you prefer. This is +useful if you have a mixture of CGI and FastCGI applications accessing the +same data. + +If you have any questions or issues regarding FastCGI and SELinux, please don't +hesitate to bring them up on fedora-selinux-list. diff --git a/mod_fcgid.spec b/mod_fcgid.spec index e6345d0..c1440e3 100644 --- a/mod_fcgid.spec +++ b/mod_fcgid.spec @@ -11,7 +11,7 @@ Name: mod_fcgid Version: 1.10 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Apache2 module for high-performance server-side scripting Group: System Environment/Daemons License: GPL @@ -144,6 +144,9 @@ fi %endif %changelog +* Wed Sep 6 2006 Paul Howarth 1.10-7 +- Include the right README* files + * Tue Aug 29 2006 Paul Howarth 1.10-6 - Buildreqs for FC5 now identical to buildreqs for FC6 onwards