rpms/mod_fcgid/EL-5 fastcgi-2.5.te, 1.2, 1.3 fastcgi.fc, 1.2, 1.3 fastcgi.te, 1.3, 1.4 mod_fcgid-2.1-README.RPM, 1.1, 1.2 mod_fcgid-2.1-README.SELinux, 1.2, 1.3 mod_fcgid.spec, 1.6, 1.7

Tue Apr 7 09:50:55 UTC 2009

Author: pghmcfc

Update of /cvs/pkgs/rpms/mod_fcgid/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1303

Modified Files:
	fastcgi-2.5.te fastcgi.fc fastcgi.te mod_fcgid-2.1-README.RPM 
	mod_fcgid-2.1-README.SELinux mod_fcgid.spec 
Log Message:
Merge changes from Fedora since EL 5.3 now contains merged fastcgi SELinux policy


Index: fastcgi-2.5.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/EL-5/fastcgi-2.5.te,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3

--- fastcgi-2.5.te	27 Apr 2008 22:52:57 -0000	1.2
+++ fastcgi-2.5.te	7 Apr 2009 09:50:24 -0000	1.3
@@ -1,131 +1,63 @@
-policy_module(fastcgi, 0.2.2)
+# This policy module provides support for mod_fcgid using the httpd system script domain.
+# It provides "allow" rules that will overlap to varying degrees with selinux-policy
+# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
+# as updates for selinux-policy in Fedora 8, 9, and 10.
+#
+# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy
+#
+# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
+# which is now an alias for httpd_sys_script_t.
 
-type httpd_fastcgi_var_run_t;
-files_type(httpd_fastcgi_var_run_t)
+policy_module(fastcgi, 0.2.6)
 
 require {
 	type devpts_t;
 	type httpd_t;
-	type httpd_config_t;
 	type httpd_log_t;
-	type httpd_sys_script_exec_t;
 	type httpd_sys_content_t;
+	type httpd_sys_content_ra_t;
+	type httpd_sys_content_ro_t;
+	type httpd_sys_content_rw_t;
+	type httpd_sys_script_exec_t;
+	type httpd_sys_script_ra_t;
+	type httpd_sys_script_ro_t;
+	type httpd_sys_script_rw_t;
+	type httpd_sys_script_t;
 	type httpd_tmp_t;
+	type httpd_var_run_t;
 };
 
+# Type aliases for contexts used with older policy modules
+typealias httpd_sys_content_t     alias httpd_fastcgi_content_t;
+typealias httpd_sys_content_ra_t  alias httpd_fastcgi_content_ra_t;
+typealias httpd_sys_content_ro_t  alias httpd_fastcgi_content_ro_t;
+typealias httpd_sys_content_rw_t  alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_script_ra_t   alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t   alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t   alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
+
 # ==========================================================
-# Create and use httpd_fastcgi_script_t for mod_fcgid apps
+# Re-use httpd_sys_script_t for mod_fcgid apps
 # ==========================================================
 
-apache_content_template(fastcgi)
-kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
-
-## <desc>
-## <p>
-## Allow FastCGI applications to write to public content 
-## </p>
-## </desc>
-gen_tunable(allow_httpd_fastcgi_script_anon_write,false)
-
-## <desc>
-## <p>
-## Allow FastCGI applications to make outbound SMTP connections
-## </p>
-## </desc>
-gen_tunable(httpd_fastcgi_can_sendmail,false)
-
-tunable_policy(`allow_httpd_fastcgi_script_anon_write',`
-	miscfiles_manage_public_files(httpd_fastcgi_script_t)
-')
-
-tunable_policy(`httpd_fastcgi_can_sendmail',`
-	corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
-')
-
-# Allow FastCGI applications to do DNS lookups
-sysnet_dns_name_resolve(httpd_fastcgi_script_t)
-
-# Allow FastCGI applications to live alongside regular CGI apps
-allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
-allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
-
-# Allow FastCGI applications to read the routing table
-allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
+# Allow web applications to call getpw* functions
+auth_use_nsswitch(httpd_sys_script_t)
 
 # Allow httpd to create and use files and sockets for communicating with mod_fcgid
-manage_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
-manage_sock_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
-setattr_dirs_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
-
-# Allow httpd to read httpd_fastcgi_content_t
-allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
-read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
-read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
+# Rules to do this are already in selinux-policy apart from dir setattr
+setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
 
 # Allow FastCGI applications to listen for FastCGI requests on their
 # sockets and respond to them
-allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
 
 # These are probably leaked file descriptors
 dontaudit httpd_t devpts_t:chr_file ioctl;
-dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
-
-# ======================================================
-# Equivalent policy cribbed from httpd_sys_script_t
-# ======================================================
-
-dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
-
-fs_search_auto_mountpoints(httpd_fastcgi_script_t)
+dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
 
 # PHP uploads a file to /tmp and then execs programs to action them
-manage_dirs_pattern(httpd_fastcgi_script_t,httpd_tmp_t,httpd_tmp_t)
-manage_files_pattern(httpd_fastcgi_script_t,httpd_tmp_t,httpd_tmp_t)
-files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-
-files_search_var_lib(httpd_fastcgi_script_t)
-files_search_spool(httpd_fastcgi_script_t)
-
-# Should we add a boolean?
-apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
-
-ifdef(`distro_redhat',`
-	allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
-')
-
-ifdef(`targeted_policy',`
-	tunable_policy(`httpd_enable_homedirs',`
-		userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
-	')
-')
-
-tunable_policy(`httpd_use_nfs', `
-	fs_read_nfs_files(httpd_fastcgi_script_t)
-	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-	fs_read_nfs_files(httpd_fastcgi_script_t)
-	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
-')
-
-tunable_policy(`httpd_use_cifs', `
-	fs_read_cifs_files(httpd_fastcgi_script_t)
-	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_read_cifs_files(httpd_fastcgi_script_t)
-	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
-')
-
-optional_policy(`
-	mysql_stream_connect(httpd_fastcgi_script_t)
-	mysql_rw_db_sockets(httpd_fastcgi_script_t)
-')
-
-optional_policy(`
-	clamav_domtrans_clamscan(httpd_fastcgi_script_t)
-')
-
+# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans
+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })


Index: fastcgi.fc
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/EL-5/fastcgi.fc,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- fastcgi.fc	27 Apr 2008 22:52:57 -0000	1.2
+++ fastcgi.fc	7 Apr 2009 09:50:24 -0000	1.3
@@ -1 +1 @@
-/var/run/mod_fcgid(/.*)?		 gen_context(system_u:object_r:httpd_fastcgi_var_run_t,s0)
+/var/run/mod_fcgid(/.*)?		 gen_context(system_u:object_r:httpd_var_run_t,s0)


Index: fastcgi.te
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/EL-5/fastcgi.te,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- fastcgi.te	27 Apr 2008 22:52:57 -0000	1.3
+++ fastcgi.te	7 Apr 2009 09:50:24 -0000	1.4
@@ -1,111 +1,77 @@
-policy_module(fastcgi, 0.1.9)
+# This policy module provides support for mod_fcgid using the httpd system script domain.
+# It provides "allow" rules that will overlap to varying degrees with selinux-policy
+# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
+# as updates for selinux-policy in Fedora 8, 9, and 10.
+#
+# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy
+#
+# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
+# which is now an alias for httpd_sys_script_t.
 
-type httpd_fastcgi_var_run_t;
-files_type(httpd_fastcgi_var_run_t)
+policy_module(fastcgi, 0.1.10)
 
 require {
 	type devpts_t;
 	type httpd_t;
-	type httpd_config_t;
 	type httpd_log_t;
-	type httpd_sys_script_exec_t;
 	type httpd_sys_content_t;
+	type httpd_sys_content_ra_t;
+	type httpd_sys_content_ro_t;
+	type httpd_sys_content_rw_t;
+	type httpd_sys_script_exec_t;
+	type httpd_sys_script_ra_t;
+	type httpd_sys_script_ro_t;
+	type httpd_sys_script_rw_t;
+	type httpd_sys_script_t;
 	type httpd_tmp_t;
+	type httpd_var_run_t;
 };
 
+# Type aliases for contexts used with older policy modules
+typealias httpd_sys_content_t     alias httpd_fastcgi_content_t;
+typealias httpd_sys_content_ra_t  alias httpd_fastcgi_content_ra_t;
+typealias httpd_sys_content_ro_t  alias httpd_fastcgi_content_ro_t;
+typealias httpd_sys_content_rw_t  alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_script_ra_t   alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t   alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t   alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
+
 # ==========================================================
-# Create and use httpd_fastcgi_script_t for mod_fcgid apps
+# Re-use httpd_sys_script_t for mod_fcgid apps
 # ==========================================================
 
-apache_content_template(fastcgi)
-kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
-
-## <desc>
-## <p>
-## Allow FastCGI applications to make outbound SMTP connections
-## </p>
-## </desc>
-gen_tunable(httpd_fastcgi_can_sendmail,false)
-
-tunable_policy(`httpd_fastcgi_can_sendmail',`
-	corenet_tcp_connect_smtp_port(httpd_fastcgi_script_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_fastcgi_script_t)
-')
-
-# Allow FastCGI applications to do DNS lookups
-sysnet_dns_name_resolve(httpd_fastcgi_script_t)
-
-# Allow FastCGI applications to live alongside regular CGI apps
-allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
-allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };
-
-# Allow FastCGI applications to read the routing table
-allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };
+# Allow web applications to call getpw* functions
+auth_use_nsswitch(httpd_sys_script_t)
 
 # Allow httpd to create and use files and sockets for communicating with mod_fcgid
-allow httpd_t httpd_fastcgi_var_run_t:dir { rw_dir_perms setattr };
-allow httpd_t httpd_fastcgi_var_run_t:file { create_file_perms };
-allow httpd_t httpd_fastcgi_var_run_t:sock_file { create_file_perms };
-
-# Allow httpd to read httpd_fastcgi_content_t
-# (shouldn't this be in the content template?)
-allow httpd_t httpd_fastcgi_content_t:dir r_dir_perms;
-allow httpd_t httpd_fastcgi_content_t:file r_file_perms;
-allow httpd_t httpd_fastcgi_content_t:lnk_file { getattr read };
+# Rules to do this are already in selinux-policy apart from dir setattr
+allow httpd_t httpd_var_run_t:dir setattr;
 
 # Allow FastCGI applications to listen for FastCGI requests on their
 # sockets and respond to them
-allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
 
 # These are probably leaked file descriptors
 dontaudit httpd_t devpts_t:chr_file ioctl;
-dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
-
-# ======================================================
-# Equivalent policy cribbed from httpd_sys_script_t
-# ======================================================
+dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
 
-dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;
-
-fs_search_auto_mountpoints(httpd_fastcgi_script_t)
+# Search automount filesystem to use automatically mounted filesystems
+fs_search_auto_mountpoints(httpd_sys_script_t)
 
 # PHP uploads a file to /tmp and then execs programs to action them
-allow httpd_fastcgi_script_t httpd_tmp_t:dir manage_dir_perms;
-allow httpd_fastcgi_script_t httpd_tmp_t:file manage_file_perms;
-files_tmp_filetrans(httpd_fastcgi_script_t,httpd_fastcgi_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-
-files_search_var_lib(httpd_fastcgi_script_t)
-files_search_spool(httpd_fastcgi_script_t)
-
-# Should we add a boolean?
-apache_domtrans_rotatelogs(httpd_fastcgi_script_t)
-
-ifdef(`distro_redhat',`
-	allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
-')
-
-ifdef(`targeted_policy',`
-	tunable_policy(`httpd_enable_homedirs',`
-		userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
-	')
-')
+allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms;
+allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
 
+# Support network home directories
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-	fs_read_nfs_files(httpd_fastcgi_script_t)
-	fs_read_nfs_symlinks(httpd_fastcgi_script_t)
+	fs_read_nfs_files(httpd_sys_script_t)
+	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
-
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_read_cifs_files(httpd_fastcgi_script_t)
-	fs_read_cifs_symlinks(httpd_fastcgi_script_t)
+	fs_read_cifs_files(httpd_sys_script_t)
+	fs_read_cifs_symlinks(httpd_sys_script_t)
 ')
-
-optional_policy(`
-	mysql_stream_connect(httpd_fastcgi_script_t)
-	mysql_rw_db_sockets(httpd_fastcgi_script_t)
-')
-
-optional_policy(`
-	clamav_domtrans_clamscan(httpd_fastcgi_script_t)
-')
-


Index: mod_fcgid-2.1-README.RPM
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/EL-5/mod_fcgid-2.1-README.RPM,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- mod_fcgid-2.1-README.RPM	15 Jul 2007 14:17:25 -0000	1.1
+++ mod_fcgid-2.1-README.RPM	7 Apr 2009 09:50:24 -0000	1.2
@@ -37,12 +37,16 @@
    /etc/httpd/conf.d/mywiki.conf
 
     # Wiki application data common to all wiki instances
-    Alias /wiki/ "/usr/share/moin/htdocs/"
+    Alias /moin_static182 "/usr/share/moin/htdocs/"
     <Directory "/usr/share/moin/htdocs/">
       Options Indexes FollowSymLinks
       AllowOverride None
       Order allow,deny
       Allow from all
+      <IfModule mod_expires.c>
+        ExpiresActive On
+        ExpiresDefault "access plus 1 year"
+      </IfModule>
     </Directory>
 
     # Wiki instance with mod_fcgid
@@ -56,12 +60,21 @@
       </Directory>
     </IfModule>
 
- * If you are using SELinux with Fedora Core 5 or later, or Red Hat Enterprise
-   Linux 5 or later, install the mod_fcgid-selinux package and see the
-   README.SELinux file in that package for details of the file contexts to use
-
  * Restart the web server to load the new configuration:
 
    service httpd restart
 
 That should do it!
+
+Ruby on Rails with mod_fcgid
+============================
+
+One of the differences between mod_fastcgi and mod_fcgid is that the former
+sets the SCRIPT_NAME environment variable whilst the latter does not, and it's
+reported (http://bugzilla.redhat.com/476658) that Ruby on Rails expects this
+environment variable to be present. A workaround for this is to add:
+
+ActionController::AbstractRequest.relative_url_root = ""
+
+to the Rails::Initializer.run segment of config/environment.rb
+


Index: mod_fcgid-2.1-README.SELinux
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/EL-5/mod_fcgid-2.1-README.SELinux,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- mod_fcgid-2.1-README.SELinux	15 Jul 2007 14:17:25 -0000	1.2
+++ mod_fcgid-2.1-README.SELinux	7 Apr 2009 09:50:24 -0000	1.3
@@ -1,70 +1,62 @@
 Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
 ==============================================================
 
-Versions of this package built for Fedora Core 5 / Red Hat Enterprise Linux 5
-or later include an SELinux policy module to support FastCGI applications.
-This has only been tested so far with moin, so feedback from other applications
-is welcome. The intention is for this module to be included in the SELinux
-reference policy eventually.
+Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
+policy module to support FastCGI applications. Later Fedora releases and Red
+Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
+package and do not require the separate module. This has only been tested so
+far with moin, so feedback from other applications is welcome.
 
 The module source (fastcgi.{fc,te}) is included for reference as documentation
 in the package.
 
-The module introduces a new set of SELinux types for FastCGI applications,
-comparable with the types described in "man httpd_selinux" for regular CGI
-scripts (or "system scripts" as they are known in SELinux):
+The module uses the same set of SELinux types for FastCGI applications as for
+regular CGI scripts (or "system scripts" as they are known in SELinux), as
+described in "man httpd_selinux".
 
- * httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)
- - Set files with httpd_fastcgi_content_t for content that is available
+ * httpd_sys_content_t
+ - Set files with httpd_sys_content_t for content that is available
    from all FastCGI scripts and the daemon.
 
- * httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)
- - Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run
-   with access to all fastcgi types.
-
- * httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)
- - Set files with httpd_fastcgi_script_ro_t if you want
-   httpd_fastcgi_script_exec_t scripts to read the data, and disallow other
-   non-fastcgi scripts from access.
-
- * httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)
- - Set files with httpd_fastcgi_script_rw_t if you want
-   httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow
-   other non-fastcgi scripts from access.
-
- * httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)
- - Set files with httpd_fastcgi_script_ra_t if you want
-   httpd_fastcgi_script_exec_t scripts to read/append to the file, and
-   disallow other non-fastcgi scripts from access.
+ * httpd_sys_script_exec_t
+ - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
+   with access to all system script types.
+
+ * httpd_sys_script_ro_t
+ - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
+   scripts to read but not write the data, and disallow other processes from
+   access.
+
+ * httpd_sys_script_rw_t
+ - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
+   scripts to read/write the data, and disallow other processes from access.
+
+ * httpd_sys_script_ra_t
+ - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
+   scripts to read/append to the file, and disallow other processes from
+   access.
 
 So for the moin wiki layout described in README.RPM of the main mod_fcgid
 package, the contexts would be set as follows:
 
     cd /var/www/mywiki
-    chcon -t httpd_fastcgi_content_t .
-    chcon -R -t httpd_fastcgi_script_exec_t cgi-bin
-    chcon -R -t httpd_fastcgi_script_rw_t data underlay
+    chcon -t httpd_sys_content_t .
+    chcon -R -t httpd_sys_script_exec_t cgi-bin
+    chcon -R -t httpd_sys_script_rw_t data underlay
 
 It is necessary to turn on the httpd_enable_cgi boolean to run either regular
 or FastCGI scripts:
 
     setsebool -P httpd_enable_cgi 1
 
-If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access
-each other's data. This means that you only need to set the actual FastCGI
-scripts themselves to httpd_fastcgi_script_exec_t and can leave the file
-contexts for everything else set to the "sys" types if you prefer. This is
-useful if you have a mixture of CGI and FastCGI applications accessing the
-same data.
-
-The httpd_fastcgi_can_sendmail boolean is used to specify whether any of your
-FastCGI applications can make outbound SMTP connections (e.g. moin sending
+The httpd_can_sendmail boolean is used to specify whether any of your
+web applications can make outbound SMTP connections (e.g. moin sending
 notifications). By default it is off, but can be enabled as follows:
 
-    setsebool -P httpd_fastcgi_can_sendmail 1
+    setsebool -P httpd_can_sendmail 1
 
 Only enable this functionality if you actually need it, since it increases the
-chances that any vulnerability in any of your FastCGI applications could be
+chances that any vulnerability in any of your web applications could be
 exploited by a spammer.
 
 If you have any questions or issues regarding FastCGI and SELinux, please don't


Index: mod_fcgid.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_fcgid/EL-5/mod_fcgid.spec,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- mod_fcgid.spec	27 Apr 2008 22:52:57 -0000	1.6
+++ mod_fcgid.spec	7 Apr 2009 09:50:24 -0000	1.7
@@ -1,17 +1,22 @@
-# FC5, RHEL5 and later include SELinux policy module packages
-%if 0%{?fedora}%{?rhel} < 5
-%define selinux_module 0
-%define selinux_variants %{nil}
-%define selinux_buildreqs %{nil}
+# Fedora 5, 6, and 7 versions includes SELinux policy module package
+# Fedora 8 and 9 versions include policy in errata selinux-policy releases
+# Fedora 10 onwards include policy in standard selinux-policy releases
+# RHEL 5.3 onwards include policy in standard selinux-policy releases
+%if 0%{?fedora} < 5 || 0%{?fedora} > 7
+%global selinux_module 0
+%global selinux_types %{nil}
+%global selinux_variants %{nil}
+%global selinux_buildreqs %{nil}
 %else
-%define selinux_module 1
-%define selinux_variants mls strict targeted
-%define selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
+%global selinux_module 1
+%global selinux_types %(%{__awk} '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null)
+%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types})
+%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
 %endif
 
 Name:		mod_fcgid
 Version:	2.2
-Release:	4%{?dist}
+Release:	10%{?dist}
 Summary:	Apache2 module for high-performance server-side scripting 
 Group:		System Environment/Daemons
 License:	GPL+
@@ -29,6 +34,21 @@
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:	gawk, httpd-devel >= 2.0, pkgconfig
 Requires:	httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && %{__cat} %{_includedir}/httpd/.mmn || echo missing)
+# Make sure that selinux-policy is sufficiently up-to-date if it's installed
+%if "%{?rhel}" == "5"
+Conflicts:	selinux-policy < 2.4.6-203.el5
+# No provide here because selinux-policy >= 2.4.6-203.el5 does the providing
+Obsoletes:	mod_fcgid-selinux <= %{version}-%{release}
+%endif
+%if "%{?fedora}" == "8"
+Conflicts:	selinux-policy < 3.0.8-123.fc8
+%endif
+%if "%{?fedora}" == "9"
+Conflicts:	selinux-policy < 3.3.1-107.fc9
+%endif
+%if "%{?fedora}" == "10"
+Conflicts:	selinux-policy < 3.5.13-8.fc10
+%endif
 
 %description
 mod_fcgid is a binary-compatible alternative to the Apache module mod_fastcgi.
@@ -37,8 +57,8 @@
 as possible.
 
 %if %{selinux_module}
-%define selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
-%define selinux_policynum %(echo %{selinux_policyver} | %{__awk} -F. '{ printf "%d%02d%02d", $1, $2, $3 }')
+%global selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp || echo 0.0.0)
+%global selinux_policynum %(echo %{selinux_policyver} | %{__awk} -F. '{ printf "%d%02d%02d", $1, $2, $3 }')
 %package selinux
 Summary:	  SELinux policy module supporting FastCGI applications with mod_fcgid
 Group:		  System Environment/Base
@@ -49,9 +69,7 @@
 # http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00102.html
 # Hence the versioned dependency. The versioning will hopefully be replaced by
 # an ABI version requirement or something similar in the future
-%if "%{selinux_policyver}" != ""
 Requires:	  selinux-policy >= %{selinux_policyver}
-%endif
 Requires:	  %{name} = %{version}-%{release}
 Requires(post):	  /usr/sbin/semodule, /sbin/restorecon
 Requires(postun): /usr/sbin/semodule, /sbin/restorecon
@@ -124,7 +142,7 @@
 	/usr/sbin/semodule -s ${selinuxvariant} -i \
 		%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || :
 done
-# Fix up non-standard directory context
+# Fix up non-standard directory context from earlier packages
 /sbin/restorecon -R %{_localstatedir}/run/mod_fcgid || :
 
 %postun selinux
@@ -157,6 +175,33 @@
 %endif
 
 %changelog
+* Mon Apr  6 2009 Paul Howarth <paul at city-fan.org> 2.2-10
+- EL 5.3 now has SELinux support in the main selinux-policy package so handle
+  that release as per Fedora >= 8, except that the RHEL selinux-policy package
+  doesn't Obsolete/Provide mod_fcgid-selinux like the Fedora version, so do
+  the obsoletion here instead
+
+* Thu Feb 26 2009 Paul Howarth <paul at city-fan.org> 2.2-9
+- Update documentation for MoinMoin, Rails (#476658), and SELinux
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Wed Nov 12 2008 Paul Howarth <paul at city-fan.org> 2.2-7
+- SELinux policy module no longer built for Fedora 8 onwards as it is
+  obsoleted by the main selinux-policy package
+- Conflicts for selinux-policy packages older than the releases where mod_fcgid
+  policy was incorporated have been added for Fedora 8, 9, and 10 versions, to
+  ensure that SELinux support will work if installed
+
+* Tue Oct 21 2008 Paul Howarth <paul at city-fan.org> 2.2-6
+- SELinux policy module rewritten to merge fastcgi and system script domains
+  in preparation for merge into main selinux-policy package (#462318)
+- Try to determine supported SELinux policy types by reading /etc/selinux/config
+
+* Thu Jul 24 2008 Paul Howarth <paul at city-fan.org> 2.2-5
+- Tweak selinux-policy version detection macro to work with current Rawhide
+
 * Thu Feb 14 2008 Paul Howarth <paul at city-fan.org> 2.2-4
 - Rebuild with gcc 4.3.0 for Fedora 9
 


