Include the right README* files (pesky common filenames...)
This commit is contained in:
Paul Howarth
parent
dbeb0027f8
commit
d69dca6268
@ -65,65 +65,3 @@ CGI application.
|
|||||||
service httpd restart
|
service httpd restart
|
||||||
|
|
||||||
That should do it!
|
That should do it!
|
||||||
|
|
||||||
mod_fcgid with SELinux
|
|
||||||
======================
|
|
||||||
|
|
||||||
Versions of this package built for Fedora Core 5 or later include an SELinux
|
|
||||||
policy module to support FastCGI applications. Again, this has only been tested
|
|
||||||
with moin, so feedback from other applications is welcome. The intention is for
|
|
||||||
this module to be included in the SELinux reference policy eventually.
|
|
||||||
|
|
||||||
The module source (fastcgi.{fc,te}) is included for reference as documentation
|
|
||||||
in the package.
|
|
||||||
|
|
||||||
The module introduces a new set of SELinux types for FastCGI applications,
|
|
||||||
comparable with the types described in "man httpd_selinux" for regular CGI
|
|
||||||
scripts (or "system scripts" as they are known in SELinux):
|
|
||||||
|
|
||||||
* httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)
|
|
||||||
- Set files with httpd_fastcgi_content_t for content that is available
|
|
||||||
from all FastCGI scripts and the daemon.
|
|
||||||
|
|
||||||
* httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)
|
|
||||||
- Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run
|
|
||||||
with access to all fastcgi types.
|
|
||||||
|
|
||||||
* httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)
|
|
||||||
- Set files with httpd_fastcgi_script_ro_t if you want
|
|
||||||
httpd_fastcgi_script_exec_t scripts to read the data, and disallow other
|
|
||||||
non-fastcgi scripts from access.
|
|
||||||
|
|
||||||
* httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)
|
|
||||||
- Set files with httpd_fastcgi_script_rw_t if you want
|
|
||||||
httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow
|
|
||||||
other non-fastcgi scripts from access.
|
|
||||||
|
|
||||||
* httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)
|
|
||||||
- Set files with httpd_fastcgi_script_ra_t if you want
|
|
||||||
httpd_fastcgi_script_exec_t scripts to read/append to the file, and
|
|
||||||
disallow other non-fastcgi scripts from access.
|
|
||||||
|
|
||||||
So for the moin wiki layout described above, the contexts would be set as
|
|
||||||
follows:
|
|
||||||
|
|
||||||
cd /var/www/mywiki
|
|
||||||
chcon -t httpd_fastcgi_content_t .
|
|
||||||
chcon -R -t httpd_fastcgi_script_exec_t cgi-bin
|
|
||||||
chcon -R -t httpd_fastcgi_script_rw_t data underlay
|
|
||||||
|
|
||||||
It is necessary to turn on the httpd_enable_cgi boolean to run either regular
|
|
||||||
or FastCGI scripts:
|
|
||||||
|
|
||||||
setsebool -P httpd_enable_cgi 1
|
|
||||||
|
|
||||||
If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access
|
|
||||||
each other's data. This means that you only need to set the actual FastCGI
|
|
||||||
scripts themselves to httpd_fastcgi_script_exec_t and can leave the file
|
|
||||||
contexts for everything else set to the "sys" types if you prefer. This is
|
|
||||||
useful if you have a mixture of CGI and FastCGI applications accessing the
|
|
||||||
same data.
|
|
||||||
|
|
||||||
If you have any questions or issues regarding FastCGI and SELinux, please don't
|
|
||||||
hesitate to bring them up on fedora-selinux-list.
|
|
||||||
|
|
||||||
|
|||||||
@ -1,48 +1,61 @@
|
|||||||
CONFIGURING SELINUX FOR CONTAGGED
|
Using mod_fcgid with SELinux in Fedora Core 5 onwards
|
||||||
=================================
|
=====================================================
|
||||||
|
|
||||||
The contagged RPM package for Fedora Core 5 and later includes a policy module
|
Versions of this package built for Fedora Core 5 or later include an SELinux
|
||||||
that ensures that all files required by the application get the correct
|
policy module to support FastCGI applications. This has only been tested so far
|
||||||
SELinux file contexts.
|
with moin, so feedback from other applications is welcome. The intention is for
|
||||||
|
this module to be included in the SELinux reference policy eventually.
|
||||||
|
|
||||||
However, there are a few SELinux booleans you need to set in order to use
|
The module source (fastcgi.{fc,te}) is included for reference as documentation
|
||||||
contagged:
|
in the package.
|
||||||
|
|
||||||
# setsebool -P httpd_builtin_scripting 1
|
The module introduces a new set of SELinux types for FastCGI applications,
|
||||||
# setsebool -P httpd_enable_cgi 1
|
comparable with the types described in "man httpd_selinux" for regular CGI
|
||||||
# setsebool -P httpd_unified 1
|
scripts (or "system scripts" as they are known in SELinux):
|
||||||
|
|
||||||
It is necessary to set these booleans because contagged is a PHP application.
|
* httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)
|
||||||
It is not necessary to set the httpd_can_network_connect boolean because the
|
- Set files with httpd_fastcgi_content_t for content that is available
|
||||||
web server is allowed to connect to LDAP servers by default.
|
from all FastCGI scripts and the daemon.
|
||||||
|
|
||||||
If you are using an older distribution that does not support SELinux policy
|
* httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)
|
||||||
modules, you will need to set the file contexts manually:
|
- Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run
|
||||||
|
with access to all fastcgi types.
|
||||||
|
|
||||||
# chcon -R -t httpd_cache_t /var/cache/contagged
|
* httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)
|
||||||
|
- Set files with httpd_fastcgi_script_ro_t if you want
|
||||||
|
httpd_fastcgi_script_exec_t scripts to read the data, and disallow other
|
||||||
|
non-fastcgi scripts from access.
|
||||||
|
|
||||||
You will need to repeat this step if the filesystem is relabelled.
|
* httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)
|
||||||
|
- Set files with httpd_fastcgi_script_rw_t if you want
|
||||||
|
httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow
|
||||||
|
other non-fastcgi scripts from access.
|
||||||
|
|
||||||
Once the configuration is set up as required, restart httpd:
|
* httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)
|
||||||
|
- Set files with httpd_fastcgi_script_ra_t if you want
|
||||||
|
httpd_fastcgi_script_exec_t scripts to read/append to the file, and
|
||||||
|
disallow other non-fastcgi scripts from access.
|
||||||
|
|
||||||
# service httpd restart
|
So for the moin wiki layout described in README.Fedora of the main mod_fcgid
|
||||||
|
package, the contexts would be set as follows:
|
||||||
|
|
||||||
ABOUT THE PACKAGE
|
cd /var/www/mywiki
|
||||||
=================
|
chcon -t httpd_fastcgi_content_t .
|
||||||
|
chcon -R -t httpd_fastcgi_script_exec_t cgi-bin
|
||||||
|
chcon -R -t httpd_fastcgi_script_rw_t data underlay
|
||||||
|
|
||||||
One of the reasons for building this package was to provide an example of how
|
It is necessary to turn on the httpd_enable_cgi boolean to run either regular
|
||||||
to include a custom SELinux policy module with an RPM package. It's unfortunate
|
or FastCGI scripts:
|
||||||
that the kludge of having to use restorecon in the post-install script is
|
|
||||||
required but updates to rpm will be necessary before that can be avoided - see:
|
|
||||||
http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00098.html
|
|
||||||
|
|
||||||
An alternative approach (instead of using a loadable policy module) that some
|
setsebool -P httpd_enable_cgi 1
|
||||||
people have taken, particularly where the only required policy customisation is
|
|
||||||
for file contexts, is to use semanage to add additional fcontext objects to the
|
If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access
|
||||||
running policy. A significant disadvantage of this approach is that it's harder
|
each other's data. This means that you only need to set the actual FastCGI
|
||||||
to manage future changes to policy, since all later versions of a package must
|
scripts themselves to httpd_fastcgi_script_exec_t and can leave the file
|
||||||
be able to "undo" the policy fixes (e.g. remove fcontext objects) set up by all
|
contexts for everything else set to the "sys" types if you prefer. This is
|
||||||
earlier versions of the package if there are changes to policy in later
|
useful if you have a mixture of CGI and FastCGI applications accessing the
|
||||||
versions. Using policy modules makes this very easy, since semodule handles the
|
same data.
|
||||||
upgrades very neatly (modules have version numbers).
|
|
||||||
|
If you have any questions or issues regarding FastCGI and SELinux, please don't
|
||||||
|
hesitate to bring them up on fedora-selinux-list.
|
||||||
|
|
||||||
|
|||||||
@ -11,7 +11,7 @@
|
|||||||
|
|
||||||
Name: mod_fcgid
|
Name: mod_fcgid
|
||||||
Version: 1.10
|
Version: 1.10
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
Summary: Apache2 module for high-performance server-side scripting
|
Summary: Apache2 module for high-performance server-side scripting
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
License: GPL
|
License: GPL
|
||||||
@ -144,6 +144,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 6 2006 Paul Howarth <paul@city-fan.org> 1.10-7
|
||||||
|
- Include the right README* files
|
||||||
|
|
||||||
* Tue Aug 29 2006 Paul Howarth <paul@city-fan.org> 1.10-6
|
* Tue Aug 29 2006 Paul Howarth <paul@city-fan.org> 1.10-6
|
||||||
- Buildreqs for FC5 now identical to buildreqs for FC6 onwards
|
- Buildreqs for FC5 now identical to buildreqs for FC6 onwards
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user