summaryrefslogtreecommitdiffstats
path: root/mod_fcgid-2.1-README.SELinux
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2012-06-13 18:43:31 +0200
committerRemi Collet <fedora@famillecollet.com>2012-06-13 18:43:31 +0200
commit663c5ae7be58307fd941c2884c24bc5c50cc4fa8 (patch)
tree543f9b90a1900604dc4eb5b975a3838dc8ac092d /mod_fcgid-2.1-README.SELinux
reorg repo
Diffstat (limited to 'mod_fcgid-2.1-README.SELinux')
-rw-r--r--mod_fcgid-2.1-README.SELinux63
1 files changed, 63 insertions, 0 deletions
diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux
new file mode 100644
index 0000000..981cf59
--- /dev/null
+++ b/mod_fcgid-2.1-README.SELinux
@@ -0,0 +1,63 @@
+Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
+==============================================================
+
+Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
+policy module to support FastCGI applications. Later Fedora releases and Red
+Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
+package and do not require the separate module.
+
+The module source (fastcgi.{fc,te}) is included for reference as documentation
+in the package.
+
+The module uses the same set of SELinux types for FastCGI applications as for
+regular CGI scripts (or "system scripts" as they are known in SELinux), as
+described in "man httpd_selinux".
+
+ * httpd_sys_content_t
+ - Set files with httpd_sys_content_t for content that is available
+ from all FastCGI scripts and the daemon.
+
+ * httpd_sys_script_exec_t
+ - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
+ with access to all system script types.
+
+ * httpd_sys_script_ro_t
+ - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
+ scripts to read but not write the data, and disallow other processes from
+ access.
+
+ * httpd_sys_script_rw_t
+ - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
+ scripts to read/write the data, and disallow other processes from access.
+
+ * httpd_sys_script_ra_t
+ - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
+ scripts to read/append to the file, and disallow other processes from
+ access.
+
+So for the moin wiki layout described in README.RPM of the main mod_fcgid
+package, the contexts would be set as follows:
+
+ cd /var/www/mywiki
+ chcon -t httpd_sys_content_t .
+ chcon -R -t httpd_sys_script_exec_t cgi-bin
+ chcon -R -t httpd_sys_script_rw_t data underlay
+
+It is necessary to turn on the httpd_enable_cgi boolean to run either regular
+or FastCGI scripts:
+
+ setsebool -P httpd_enable_cgi 1
+
+The httpd_can_sendmail boolean is used to specify whether any of your
+web applications can make outbound SMTP connections (e.g. moin sending
+notifications). By default it is off, but can be enabled as follows:
+
+ setsebool -P httpd_can_sendmail 1
+
+Only enable this functionality if you actually need it, since it increases the
+chances that any vulnerability in any of your web applications could be
+exploited by a spammer.
+
+If you have any questions or issues regarding FastCGI and SELinux, please don't
+hesitate to bring them up on fedora-selinux-list.
+