66 lines
2.6 KiB
Plaintext
66 lines
2.6 KiB
Plaintext
Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
|
|
==============================================================
|
|
|
|
Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5
|
|
or later include an SELinux policy module to support FastCGI applications.
|
|
This has only been tested so far with moin, so feedback from other applications
|
|
is welcome. The policy included here is a transitional policy that will soon
|
|
be included in the selinux-policy package for Fedora 8 onwards, and the
|
|
mod_fcgid-selinux package will be obsoleted when that happens.
|
|
|
|
The module source (fastcgi.{fc,te}) is included for reference as documentation
|
|
in the package.
|
|
|
|
The module uses the same set of SELinux types for FastCGI applications as for
|
|
regular CGI scripts (or "system scripts" as they are known in SELinux), as
|
|
described in "man httpd_selinux".
|
|
|
|
* httpd_sys_content_t
|
|
- Set files with httpd_sys_content_t for content that is available
|
|
from all FastCGI scripts and the daemon.
|
|
|
|
* httpd_sys_script_exec_t
|
|
- Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
|
|
with access to all system script types.
|
|
|
|
* httpd_sys_script_ro_t
|
|
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
|
|
scripts to read but not write the data, and disallow other processes from
|
|
access.
|
|
|
|
* httpd_sys_script_rw_t
|
|
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
|
|
scripts to read/write the data, and disallow other processes from access.
|
|
|
|
* httpd_sys_script_ra_t
|
|
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
|
|
scripts to read/append to the file, and disallow other processes from
|
|
access.
|
|
|
|
So for the moin wiki layout described in README.RPM of the main mod_fcgid
|
|
package, the contexts would be set as follows:
|
|
|
|
cd /var/www/mywiki
|
|
chcon -t httpd_sys_content_t .
|
|
chcon -R -t httpd_sys_script_exec_t cgi-bin
|
|
chcon -R -t httpd_sys_script_rw_t data underlay
|
|
|
|
It is necessary to turn on the httpd_enable_cgi boolean to run either regular
|
|
or FastCGI scripts:
|
|
|
|
setsebool -P httpd_enable_cgi 1
|
|
|
|
The httpd_can_sendmail boolean is used to specify whether any of your
|
|
web applications can make outbound SMTP connections (e.g. moin sending
|
|
notifications). By default it is off, but can be enabled as follows:
|
|
|
|
setsebool -P httpd_can_sendmail 1
|
|
|
|
Only enable this functionality if you actually need it, since it increases the
|
|
chances that any vulnerability in any of your web applications could be
|
|
exploited by a spammer.
|
|
|
|
If you have any questions or issues regarding FastCGI and SELinux, please don't
|
|
hesitate to bring them up on fedora-selinux-list.
|
|
|