|
Packit |
d68d13 |
Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
|
|
Packit |
d68d13 |
==============================================================
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
|
|
Packit |
d68d13 |
policy module to support FastCGI applications. Later Fedora releases and Red
|
|
Packit |
d68d13 |
Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
|
|
Packit |
d68d13 |
package and do not require the separate module.
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
The module source (fastcgi.{fc,te}) is included for reference as documentation
|
|
Packit |
d68d13 |
in the package.
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
The module uses the same set of SELinux types for FastCGI applications as for
|
|
Packit |
d68d13 |
regular CGI scripts (or "system scripts" as they are known in SELinux), as
|
|
Packit |
d68d13 |
described in "man httpd_selinux".
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
* httpd_sys_content_t
|
|
Packit |
d68d13 |
- Set files with httpd_sys_content_t for content that is available
|
|
Packit |
d68d13 |
from all FastCGI scripts and the daemon.
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
* httpd_sys_script_exec_t
|
|
Packit |
d68d13 |
- Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
|
|
Packit |
d68d13 |
with access to all system script types.
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
* httpd_sys_script_ro_t
|
|
Packit |
d68d13 |
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
|
|
Packit |
d68d13 |
scripts to read but not write the data, and disallow other processes from
|
|
Packit |
d68d13 |
access.
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
* httpd_sys_script_rw_t
|
|
Packit |
d68d13 |
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
|
|
Packit |
d68d13 |
scripts to read/write the data, and disallow other processes from access.
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
* httpd_sys_script_ra_t
|
|
Packit |
d68d13 |
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
|
|
Packit |
d68d13 |
scripts to read/append to the file, and disallow other processes from
|
|
Packit |
d68d13 |
access.
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
So for the moin wiki layout described in README.RPM of the main mod_fcgid
|
|
Packit |
d68d13 |
package, the contexts would be set as follows:
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
cd /var/www/mywiki
|
|
Packit |
d68d13 |
chcon -t httpd_sys_content_t .
|
|
Packit |
d68d13 |
chcon -R -t httpd_sys_script_exec_t cgi-bin
|
|
Packit |
d68d13 |
chcon -R -t httpd_sys_script_rw_t data underlay
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
It is necessary to turn on the httpd_enable_cgi boolean to run either regular
|
|
Packit |
d68d13 |
or FastCGI scripts:
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
setsebool -P httpd_enable_cgi 1
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
The httpd_can_sendmail boolean is used to specify whether any of your
|
|
Packit |
d68d13 |
web applications can make outbound SMTP connections (e.g. moin sending
|
|
Packit |
d68d13 |
notifications). By default it is off, but can be enabled as follows:
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
setsebool -P httpd_can_sendmail 1
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
Only enable this functionality if you actually need it, since it increases the
|
|
Packit |
d68d13 |
chances that any vulnerability in any of your web applications could be
|
|
Packit |
d68d13 |
exploited by a spammer.
|
|
Packit |
d68d13 |
|
|
Packit |
d68d13 |
If you have any questions or issues regarding FastCGI and SELinux, please don't
|
|
Packit |
d68d13 |
hesitate to bring them up on fedora-selinux-list.
|
|
Packit |
d68d13 |
|