rpms/mod_fcgid/devel fastcgi.te, 1.1, 1.2 mod_fcgid-2.1-README.SELinux, 1.1, 1.2
Paul Howarth (pghmcfc)
fedora-extras-commits at redhat.com
Fri Jun 15 17:10:14 UTC 2007
- Previous message (by thread): rpms/mod_fcgid/devel fastcgi-2.5.te, NONE, 1.1 mod_fcgid-2.1-README.RPM, NONE, 1.1 mod_fcgid.spec, 1.4, 1.5 mod_fcgid-2.1-README.Fedora, 1.1, NONE
- Next message (by thread): common Makefile.common,1.66,1.67
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pghmcfc
Update of /cvs/pkgs/rpms/mod_fcgid/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4351
Modified Files:
fastcgi.te mod_fcgid-2.1-README.SELinux
Log Message:
Forgot a couple of doc updates...
Index: fastcgi.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/fastcgi.te,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- fastcgi.te 6 Sep 2006 13:08:59 -0000 1.1
+++ fastcgi.te 15 Jun 2007 17:09:39 -0000 1.2
@@ -1,4 +1,4 @@
-policy_module(fastcgi, 0.1.6)
+policy_module(fastcgi, 0.1.7)
type httpd_fastcgi_sock_t;
files_type(httpd_fastcgi_sock_t)
@@ -19,6 +19,18 @@
apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
+## <desc>
+## <p>
+## Allow FastCGI applications to make outbound SMTP connections
+## </p>
+## </desc>
+gen_tunable(httpd_fastcgi_can_sendmail,false)
+
+tunable_policy(`httpd_fastcgi_can_sendmail',`
+ corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
+ corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
+')
+
# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_fastcgi_script_t)
@@ -55,9 +67,14 @@
dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
+fs_search_auto_mountpoints(httpd_fastcgi_script_t)
+
files_search_var_lib(httpd_fastcgi_script_t)
files_search_spool(httpd_fastcgi_script_t)
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
+
ifdef(`distro_redhat',`
allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
')
@@ -68,8 +85,22 @@
')
')
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_fastcgi_script_t)
+ fs_read_nfs_symlinks(httpd_fastcgi_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_fastcgi_script_t)
+ fs_read_cifs_symlinks(httpd_fastcgi_script_t)
+')
+
optional_policy(`
mysql_stream_connect(httpd_fastcgi_script_t)
mysql_rw_db_sockets(httpd_fastcgi_script_t)
')
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_fastcgi_script_t)
+')
+
Index: mod_fcgid-2.1-README.SELinux
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/devel/mod_fcgid-2.1-README.SELinux,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- mod_fcgid-2.1-README.SELinux 16 Feb 2007 14:20:03 -0000 1.1
+++ mod_fcgid-2.1-README.SELinux 15 Jun 2007 17:09:39 -0000 1.2
@@ -1,10 +1,11 @@
-Using mod_fcgid with SELinux in Fedora Core 5 onwards
-=====================================================
+Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
+==============================================================
-Versions of this package built for Fedora Core 5 or later include an SELinux
-policy module to support FastCGI applications. This has only been tested so far
-with moin, so feedback from other applications is welcome. The intention is for
-this module to be included in the SELinux reference policy eventually.
+Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5
+or later include an SELinux policy module to support FastCGI applications.
+This has only been tested so far with moin, so feedback from other applications
+is welcome. The intention is for this module to be included in the SELinux
+reference policy eventually.
The module source (fastcgi.{fc,te}) is included for reference as documentation
in the package.
@@ -36,7 +37,7 @@
httpd_fastcgi_script_exec_t scripts to read/append to the file, and
disallow other non-fastcgi scripts from access.
-So for the moin wiki layout described in README.Fedora of the main mod_fcgid
+So for the moin wiki layout described in README.RPM of the main mod_fcgid
package, the contexts would be set as follows:
cd /var/www/mywiki
@@ -56,6 +57,16 @@
useful if you have a mixture of CGI and FastCGI applications accessing the
same data.
+The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your
+FastCGI applications can make outbound SMTP connections (e.g. moin sending
+notifications). By default it is off, but can be enabled as follows:
+
+ setsebool -P httpd_fastcgi_can_sendmail 1
+
+Only enable this functionality if you actually need it, since it increases the
+chances that any vulnerability in any of your FastCGI applications could be
+exploited by a spammer.
+
If you have any questions or issues regarding FastCGI and SELinux, please don't
hesitate to bring them up on fedora-selinux-list.
- Previous message (by thread): rpms/mod_fcgid/devel fastcgi-2.5.te, NONE, 1.1 mod_fcgid-2.1-README.RPM, NONE, 1.1 mod_fcgid.spec, 1.4, 1.5 mod_fcgid-2.1-README.Fedora, 1.1, NONE
- Next message (by thread): common Makefile.common,1.66,1.67
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list