5ad8ddb38d
- Upstream moved to apache.org
- License changed to ASL 2.0
- Configuration directives have all been renamed - use fixconf.sed script
to fix if necessary
- Lots of documentation changes
- Renumber sources
- Don't defer to mod_fastcgi if both are present
- Build SELinux policy module for EL-5; support in EL-5.3 is incomplete and
will be fixed in EL-5.5 (#519369)
- Drop aliases httpd_sys_content_r{a,o,w}_t ->
httpd_fastcgi_content_r{a,o,w}_t from pre-2.5 SElinux policy module as
these types aren't defined there
- Drop gawk buildreq
64 lines
2.4 KiB
Plaintext
64 lines
2.4 KiB
Plaintext
Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
|
|
==============================================================
|
|
|
|
Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
|
|
policy module to support FastCGI applications. Later Fedora releases and Red
|
|
Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
|
|
package and do not require the separate module.
|
|
|
|
The module source (fastcgi.{fc,te}) is included for reference as documentation
|
|
in the package.
|
|
|
|
The module uses the same set of SELinux types for FastCGI applications as for
|
|
regular CGI scripts (or "system scripts" as they are known in SELinux), as
|
|
described in "man httpd_selinux".
|
|
|
|
* httpd_sys_content_t
|
|
- Set files with httpd_sys_content_t for content that is available
|
|
from all FastCGI scripts and the daemon.
|
|
|
|
* httpd_sys_script_exec_t
|
|
- Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
|
|
with access to all system script types.
|
|
|
|
* httpd_sys_script_ro_t
|
|
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
|
|
scripts to read but not write the data, and disallow other processes from
|
|
access.
|
|
|
|
* httpd_sys_script_rw_t
|
|
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
|
|
scripts to read/write the data, and disallow other processes from access.
|
|
|
|
* httpd_sys_script_ra_t
|
|
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
|
|
scripts to read/append to the file, and disallow other processes from
|
|
access.
|
|
|
|
So for the moin wiki layout described in README.RPM of the main mod_fcgid
|
|
package, the contexts would be set as follows:
|
|
|
|
cd /var/www/mywiki
|
|
chcon -t httpd_sys_content_t .
|
|
chcon -R -t httpd_sys_script_exec_t cgi-bin
|
|
chcon -R -t httpd_sys_script_rw_t data underlay
|
|
|
|
It is necessary to turn on the httpd_enable_cgi boolean to run either regular
|
|
or FastCGI scripts:
|
|
|
|
setsebool -P httpd_enable_cgi 1
|
|
|
|
The httpd_can_sendmail boolean is used to specify whether any of your
|
|
web applications can make outbound SMTP connections (e.g. moin sending
|
|
notifications). By default it is off, but can be enabled as follows:
|
|
|
|
setsebool -P httpd_can_sendmail 1
|
|
|
|
Only enable this functionality if you actually need it, since it increases the
|
|
chances that any vulnerability in any of your web applications could be
|
|
exploited by a spammer.
|
|
|
|
If you have any questions or issues regarding FastCGI and SELinux, please don't
|
|
hesitate to bring them up on fedora-selinux-list.
|
|
|