diff options
-rw-r--r-- | Makefile | 4 | ||||
-rw-r--r-- | fastcgi-2.5.te | 63 | ||||
-rw-r--r-- | fastcgi.fc | 1 | ||||
-rw-r--r-- | fastcgi.te | 71 | ||||
-rw-r--r-- | fcgid.conf | 14 | ||||
-rw-r--r-- | fcgid24.conf | 12 | ||||
-rw-r--r-- | mod_fcgid-2.1-README.RPM | 75 | ||||
-rw-r--r-- | mod_fcgid-2.1-README.SELinux | 63 | ||||
-rw-r--r-- | mod_fcgid-2.3.4-fixconf-shellbang.patch | 8 | ||||
-rw-r--r-- | mod_fcgid-tmpfs.conf | 1 | ||||
-rw-r--r-- | mod_fcgid.spec | 472 |
11 files changed, 784 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1e65467 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +SRCDIR := $(shell pwd) +NAME := $(shell basename $(SRCDIR)) +include ../common/Makefile + diff --git a/fastcgi-2.5.te b/fastcgi-2.5.te new file mode 100644 index 0000000..c691308 --- /dev/null +++ b/fastcgi-2.5.te @@ -0,0 +1,63 @@ +# This policy module provides support for mod_fcgid using the httpd system script domain. +# It provides "allow" rules that will overlap to varying degrees with selinux-policy +# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included +# as updates for selinux-policy in Fedora 8, 9, and 10. +# +# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy +# +# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, +# which is now an alias for httpd_sys_script_t. + +policy_module(fastcgi, 0.2.6) + +require { + type devpts_t; + type httpd_t; + type httpd_log_t; + type httpd_sys_content_t; + type httpd_sys_content_ra_t; + type httpd_sys_content_ro_t; + type httpd_sys_content_rw_t; + type httpd_sys_script_exec_t; + type httpd_sys_script_ra_t; + type httpd_sys_script_ro_t; + type httpd_sys_script_rw_t; + type httpd_sys_script_t; + type httpd_tmp_t; + type httpd_var_run_t; +}; + +# Type aliases for contexts used with older policy modules +typealias httpd_sys_content_t alias httpd_fastcgi_content_t; +typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t; +typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t; +typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; +typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + +# ========================================================== +# Re-use httpd_sys_script_t for mod_fcgid apps +# ========================================================== + +# Allow web applications to call getpw* functions +auth_use_nsswitch(httpd_sys_script_t) + +# Allow httpd to create and use files and sockets for communicating with mod_fcgid +# Rules to do this are already in selinux-policy apart from dir setattr +setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) + +# Allow FastCGI applications to listen for FastCGI requests on their +# sockets and respond to them +allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; + +# These are probably leaked file descriptors +dontaudit httpd_t devpts_t:chr_file ioctl; +dontaudit httpd_sys_script_t httpd_log_t:file ioctl; + +# PHP uploads a file to /tmp and then execs programs to action them +# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans +files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) diff --git a/fastcgi.fc b/fastcgi.fc new file mode 100644 index 0000000..2006d97 --- /dev/null +++ b/fastcgi.fc @@ -0,0 +1 @@ +/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/fastcgi.te b/fastcgi.te new file mode 100644 index 0000000..373d920 --- /dev/null +++ b/fastcgi.te @@ -0,0 +1,71 @@ +# This policy module provides support for mod_fcgid using the httpd system script domain. +# It provides "allow" rules that will overlap to varying degrees with selinux-policy +# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included +# as updates for selinux-policy in Fedora 8, 9, and 10. +# +# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy +# +# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, +# which is now an alias for httpd_sys_script_t. + +policy_module(fastcgi, 0.1.11) + +require { + type devpts_t; + type httpd_t; + type httpd_log_t; + type httpd_sys_content_t; + type httpd_sys_script_exec_t; + type httpd_sys_script_ra_t; + type httpd_sys_script_ro_t; + type httpd_sys_script_rw_t; + type httpd_sys_script_t; + type httpd_tmp_t; + type httpd_var_run_t; +}; + +# Type aliases for contexts used with older policy modules +typealias httpd_sys_content_t alias httpd_fastcgi_content_t; +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; +typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + +# ========================================================== +# Re-use httpd_sys_script_t for mod_fcgid apps +# ========================================================== + +# Allow web applications to call getpw* functions +auth_use_nsswitch(httpd_sys_script_t) + +# Allow httpd to create and use files and sockets for communicating with mod_fcgid +# Rules to do this are already in selinux-policy apart from dir setattr +allow httpd_t httpd_var_run_t:dir setattr; + +# Allow FastCGI applications to listen for FastCGI requests on their +# sockets and respond to them +allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; + +# These are probably leaked file descriptors +dontaudit httpd_t devpts_t:chr_file ioctl; +dontaudit httpd_sys_script_t httpd_log_t:file ioctl; + +# Search automount filesystem to use automatically mounted filesystems +fs_search_auto_mountpoints(httpd_sys_script_t) + +# PHP uploads a file to /tmp and then execs programs to action them +allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms; +allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms; +files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) + +# Support network home directories +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) +') +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) +') diff --git a/fcgid.conf b/fcgid.conf new file mode 100644 index 0000000..90f208e --- /dev/null +++ b/fcgid.conf @@ -0,0 +1,14 @@ +# This is the Apache server configuration file for providing FastCGI support +# through mod_fcgid +# +# Documentation is available at +# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html + +LoadModule fcgid_module modules/mod_fcgid.so + +# Use FastCGI to process .fcg .fcgi & .fpl scripts +AddHandler fcgid-script fcg fcgi fpl + +# Sane place to put sockets and shared memory file +FcgidIPCDir /var/run/mod_fcgid +FcgidProcessTableFile /var/run/mod_fcgid/fcgid_shm diff --git a/fcgid24.conf b/fcgid24.conf new file mode 100644 index 0000000..2e7d486 --- /dev/null +++ b/fcgid24.conf @@ -0,0 +1,12 @@ +# This is the Apache server configuration file for providing FastCGI support +# through mod_fcgid +# +# Documentation is available at +# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html + +# Use FastCGI to process .fcg .fcgi & .fpl scripts +AddHandler fcgid-script fcg fcgi fpl + +# Sane place to put sockets and shared memory file +FcgidIPCDir /run/mod_fcgid +FcgidProcessTableFile /run/mod_fcgid/fcgid_shm diff --git a/mod_fcgid-2.1-README.RPM b/mod_fcgid-2.1-README.RPM new file mode 100644 index 0000000..89165c5 --- /dev/null +++ b/mod_fcgid-2.1-README.RPM @@ -0,0 +1,75 @@ +Using the mod_fcgid RPM Package +=============================== + +This mod_fcgid package includes a configuration file +/etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and +added as the handler for .fcg, .fcgi, and .fpl applications. + +Example: setting up moin with mod_fcgid +======================================= + +Setting up moin with mod_fcgid is very similar to setting it up as a regular +CGI application. + + * Create a directory for your wiki instance: + + DESTDIR=/var/www/mywiki + mkdir -p $DESTDIR/cgi-bin + + * Copy in the wiki template data and the application itself: + + cp -a /usr/share/moin/{data,underlay} $DESTDIR + cp -a /usr/share/moin/server/moin.fcg $DESTDIR/cgi-bin + cp -a /usr/share/moin/config/wikiconfig.py $DESTDIR/cgi-bin + + * Fix the directory ownership + + chown -R apache:apache $DESTDIR/{data,underlay} + + * Edit $DESTDIR/cgi-bin/wikiconfig.py to suit your needs + + * Create a httpd configuration file for the wiki, e.g. + /etc/httpd/conf.d/mywiki.conf + + # Wiki application data common to all wiki instances + Alias /moin_static185 "/usr/share/moin/htdocs/" + <Directory "/usr/share/moin/htdocs/"> + Options Indexes FollowSymLinks + AllowOverride None + Order allow,deny + Allow from all + <IfModule mod_expires.c> + ExpiresActive On + ExpiresDefault "access plus 1 year" + </IfModule> + </Directory> + + # Wiki instance with mod_fcgid + <IfModule mod_fcgid.c> + ScriptAlias /mywiki "/var/www/mywiki/cgi-bin/moin.fcg" + <Directory "/var/www/mywiki/cgi-bin/"> + Options Indexes FollowSymLinks ExecCGI + AllowOverride None + Order allow,deny + Allow from all + </Directory> + </IfModule> + + * Restart the web server to load the new configuration: + + service httpd restart + +That should do it! + +Ruby on Rails with mod_fcgid +============================ + +One of the differences between mod_fastcgi and mod_fcgid is that the former +sets the SCRIPT_NAME environment variable whilst the latter does not, and it's +reported (http://bugzilla.redhat.com/476658) that Ruby on Rails expects this +environment variable to be present. A workaround for this is to add: + +ActionController::AbstractRequest.relative_url_root = "" + +to the Rails::Initializer.run segment of config/environment.rb + diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux new file mode 100644 index 0000000..981cf59 --- /dev/null +++ b/mod_fcgid-2.1-README.SELinux @@ -0,0 +1,63 @@ +Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards +============================================================== + +Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux +policy module to support FastCGI applications. Later Fedora releases and Red +Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy +package and do not require the separate module. + +The module source (fastcgi.{fc,te}) is included for reference as documentation +in the package. + +The module uses the same set of SELinux types for FastCGI applications as for +regular CGI scripts (or "system scripts" as they are known in SELinux), as +described in "man httpd_selinux". + + * httpd_sys_content_t + - Set files with httpd_sys_content_t for content that is available + from all FastCGI scripts and the daemon. + + * httpd_sys_script_exec_t + - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run + with access to all system script types. + + * httpd_sys_script_ro_t + - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t + scripts to read but not write the data, and disallow other processes from + access. + + * httpd_sys_script_rw_t + - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t + scripts to read/write the data, and disallow other processes from access. + + * httpd_sys_script_ra_t + - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t + scripts to read/append to the file, and disallow other processes from + access. + +So for the moin wiki layout described in README.RPM of the main mod_fcgid +package, the contexts would be set as follows: + + cd /var/www/mywiki + chcon -t httpd_sys_content_t . + chcon -R -t httpd_sys_script_exec_t cgi-bin + chcon -R -t httpd_sys_script_rw_t data underlay + +It is necessary to turn on the httpd_enable_cgi boolean to run either regular +or FastCGI scripts: + + setsebool -P httpd_enable_cgi 1 + +The httpd_can_sendmail boolean is used to specify whether any of your +web applications can make outbound SMTP connections (e.g. moin sending +notifications). By default it is off, but can be enabled as follows: + + setsebool -P httpd_can_sendmail 1 + +Only enable this functionality if you actually need it, since it increases the +chances that any vulnerability in any of your web applications could be +exploited by a spammer. + +If you have any questions or issues regarding FastCGI and SELinux, please don't +hesitate to bring them up on fedora-selinux-list. + diff --git a/mod_fcgid-2.3.4-fixconf-shellbang.patch b/mod_fcgid-2.3.4-fixconf-shellbang.patch new file mode 100644 index 0000000..ea5fb50 --- /dev/null +++ b/mod_fcgid-2.3.4-fixconf-shellbang.patch @@ -0,0 +1,8 @@ +--- mod_fcgid-2.3.4/build/fixconf.sed 2009-10-07 04:16:08.000000000 +0100 ++++ mod_fcgid-2.3.4/build/fixconf.sed 2009-10-12 09:50:14.570448865 +0100 +@@ -1,4 +1,4 @@ +-#!/usr/bin/sed -f ++#!/bin/sed -f + # + # Licensed to the Apache Software Foundation (ASF) under one or more + # contributor license agreements. See the NOTICE file distributed with diff --git a/mod_fcgid-tmpfs.conf b/mod_fcgid-tmpfs.conf new file mode 100644 index 0000000..02e7d08 --- /dev/null +++ b/mod_fcgid-tmpfs.conf @@ -0,0 +1 @@ +d /run/mod_fcgid - apache apache diff --git a/mod_fcgid.spec b/mod_fcgid.spec new file mode 100644 index 0000000..e648bac --- /dev/null +++ b/mod_fcgid.spec @@ -0,0 +1,472 @@ +# Fedora 5, 6, and 7 versions includes SELinux policy module package +# Fedora 8 and 9 versions include policy in errata selinux-policy releases +# Fedora 10 onwards include policy in standard selinux-policy releases +# RHEL 5.5 onwards include policy in standard selinux-policy releases +%if 0%{?fedora} < 5 || 0%{?fedora} > 7 || 0%{?rhel} +%global selinux_module 0 +%global selinux_types %{nil} +%global selinux_variants %{nil} +%global selinux_buildreqs %{nil} +%else +%global selinux_module 1 +%global selinux_types %(awk '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null) +%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types}) +%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink +%endif + +# apxs script location +%{!?_httpd_apxs: %global _httpd_apxs %{_sbindir}/apxs} + +# Module Magic Number +%{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo missing-httpd-devel)} + +# Configuration directory +%{!?_httpd_confdir: %global _httpd_confdir %{_sysconfdir}/httpd/conf.d} + +# For httpd ≥ 2.4 we have a different filesystem layout +%if 0%{?fedora} > 17 || 0%{?rhel} > 6 +%global httpd24 1 +%global rundir /run +%else +%global httpd24 1 +%global rundir %{_localstatedir}/run +%endif + +Name: mod_fcgid +Version: 2.3.7 +Release: 3%{?dist} +Summary: FastCGI interface module for Apache 2 +Group: System Environment/Daemons +License: ASL 2.0 +URL: http://httpd.apache.org/mod_fcgid/ +Source0: http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2 +Source1: fcgid.conf +Source2: mod_fcgid-2.1-README.RPM +Source3: mod_fcgid-2.1-README.SELinux +Source4: mod_fcgid-tmpfs.conf +Source5: fcgid24.conf +Source10: fastcgi.te +Source11: fastcgi-2.5.te +Source12: fastcgi.fc +Patch0: mod_fcgid-2.3.4-fixconf-shellbang.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) +BuildRequires: httpd-devel >= 2.0, pkgconfig +Requires: httpd-mmn = %{_httpd_mmn} +# sed required for fixconf script +Requires: /bin/sed +# systemd-units needed for ownership of /etc/tmpfiles.d directory +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +Requires: systemd-units +%endif +# Make sure that selinux-policy is sufficiently up-to-date if it's installed +# FastCGI policy properly incorporated into EL 5.5 +%if "%{?rhel}" == "5" +Conflicts: selinux-policy < 2.4.6-279.el5 +# No provide here because selinux-policy >= 2.4.6-279.el5 does the providing +Obsoletes: mod_fcgid-selinux <= %{version}-%{release} +%endif +%if "%{?fedora}" == "8" +Conflicts: selinux-policy < 3.0.8-123.fc8 +%endif +%if "%{?fedora}" == "9" +Conflicts: selinux-policy < 3.3.1-107.fc9 +%endif +%if "%{?fedora}" == "10" +Conflicts: selinux-policy < 3.5.13-8.fc10 +%endif + +%description +mod_fcgid is a binary-compatible alternative to the Apache module mod_fastcgi. +mod_fcgid has a new process management strategy, which concentrates on reducing +the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon +as possible. + +%if %{selinux_module} +%global selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp || echo 0.0.0) +%global selinux_policynum %(echo %{selinux_policyver} | awk -F. '{ printf "%d%02d%02d", $1, $2, $3 }') +%package selinux +Summary: SELinux policy module supporting FastCGI applications with mod_fcgid +Group: System Environment/Base +BuildRequires: %{selinux_buildreqs} +# selinux-policy is required for directory ownership of %%{_datadir}/selinux/* +# Modules built against one version of a policy may not work with older policy +# versions, as noted on fedora-selinux-list: +# http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00102.html +# Hence the versioned dependency. The versioning will hopefully be replaced by +# an ABI version requirement or something similar in the future +Requires: selinux-policy >= %{selinux_policyver} +Requires: %{name} = %{version}-%{release} +Requires(post): /usr/sbin/semodule, /sbin/restorecon +Requires(postun): /usr/sbin/semodule, /sbin/restorecon + +%description selinux +SELinux policy module supporting FastCGI applications with mod_fcgid. +%endif + +%prep +%setup -q +cp -p %{SOURCE1} fcgid.conf +cp -p %{SOURCE2} README.RPM +cp -p %{SOURCE3} README.SELinux +cp -p %{SOURCE5} fcgid24.conf +%if 0%{?selinux_policynum} < 20501 +cp -p %{SOURCE10} fastcgi.te +%else +cp -p %{SOURCE11} fastcgi.te +%endif +cp -p %{SOURCE12} fastcgi.fc + +# Fix shellbang in fixconf script for our location of sed +%patch0 -p1 + +%build +APXS=%{_httpd_apxs} ./configure.apxs +make +%if %{selinux_module} +for selinuxvariant in %{selinux_variants} +do + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile + mv fastcgi.pp fastcgi.pp.${selinuxvariant} + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean +done +%endif + +%install +rm -rf %{buildroot} +make DESTDIR=%{buildroot} MKINSTALLDIRS="mkdir -p" install +%if %{httpd24} +mkdir -p %{buildroot}{%{_httpd_confdir},%{_httpd_modconfdir}} +echo "LoadModule fcgid_module modules/mod_fcgid.so" > %{buildroot}%{_httpd_modconfdir}/10-fcgid.conf +install -D -m 644 fcgid24.conf %{buildroot}%{_httpd_confdir}/fcgid.conf +%else +install -D -m 644 fcgid.conf %{buildroot}%{_httpd_confdir}/fcgid.conf +%endif +install -d -m 755 %{buildroot}%{rundir}/mod_fcgid + +# Include the manual as %%doc, don't need it elsewhere +%if %{httpd24} +rm -rf %{buildroot}%{_httpd_contentdir}/manual +%else +rm -rf %{buildroot}%{_var}/www/manual +%endif + +# Make sure %%{rundir}/mod_fcgid exists at boot time for systems +# with %%{rundir} on tmpfs (#656625) +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +install -d -m 755 %{buildroot}%{_sysconfdir}/tmpfiles.d +install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/tmpfiles.d/mod_fcgid.conf +%endif + +# Install SELinux policy modules +%if %{selinux_module} +for selinuxvariant in %{selinux_variants} +do + install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant} + install -p -m 644 fastcgi.pp.${selinuxvariant} \ + %{buildroot}%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp +done +# Hardlink identical policy module packages together +hardlink -cv %{buildroot}%{_datadir}/selinux +%endif + +%clean +rm -rf %{buildroot} + +%if %{selinux_module} +%post selinux +# Install SELinux policy modules +for selinuxvariant in %{selinux_variants} +do + /usr/sbin/semodule -s ${selinuxvariant} -i \ + %{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || : +done +# Fix up non-standard directory context from earlier packages +/sbin/restorecon -R %{rundir}/mod_fcgid || : + +%postun selinux +# Clean up after package removal +if [ $1 -eq 0 ]; then + # Remove SELinux policy modules + for selinuxvariant in %{selinux_variants}; do + /usr/sbin/semodule -s ${selinuxvariant} -r fastcgi &> /dev/null || : + done + # Clean up any remaining file contexts (shouldn't be any really) + [ -d %{rundir}/mod_fcgid ] && \ + /sbin/restorecon -R %{rundir}/mod_fcgid &> /dev/null || : +fi +exit 0 +%endif + +%files +%defattr(-,root,root,-) +# mod_fcgid.html.en is explicitly encoded as ISO-8859-1 +%doc CHANGES-FCGID LICENSE-FCGID NOTICE-FCGID README-FCGID STATUS-FCGID +%doc docs/manual/mod/mod_fcgid.html.en modules/fcgid/ChangeLog +%doc build/fixconf.sed +%{_libdir}/httpd/modules/mod_fcgid.so +%if %{httpd24} +%config(noreplace) %{_httpd_modconfdir}/10-fcgid.conf +%endif +%config(noreplace) %{_httpd_confdir}/fcgid.conf +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +%{_sysconfdir}/tmpfiles.d/mod_fcgid.conf +%endif +%dir %attr(0755,apache,apache) %{rundir}/mod_fcgid/ + +%if %{selinux_module} +%files selinux +%defattr(-,root,root,-) +%doc fastcgi.fc fastcgi.te README.SELinux +%{_datadir}/selinux/*/fastcgi.pp +%endif + +%changelog +* Wed May 2 2012 Remi Collet <RPMS@FamilleCollet.com> 2.3.7-3 +- sync with rawhide, rebuild for remi repo + +* Wed May 2 2012 Paul Howarth <paul@city-fan.org> 2.3.7-3 +- Make %%files list more explicit + +* Wed May 2 2012 Joe Orton <jorton@redhat.com> 2.3.7-2 +- Use 10- prefix for conf file in conf.modules.d with httpd ≥ 2.4 +- Use _httpd_confdir throughout + +* Tue Apr 24 2012 Remi Collet <RPMS@FamilleCollet.com> 2.3.7-1 +- update to 2.3.7, rebuild for remi repo + +* Mon Apr 23 2012 Paul Howarth <paul@city-fan.org> 2.3.7-1 +- Update to 2.3.7 + - Introduce FcgidWin32PreventOrphans directive on Windows to use OS Job + Control Objects to terminate all running fcgi's when the worker process + has been abruptly terminated (PR: 51078) + - Periodically clean out the brigades that are pulling in the request body + for handoff to the fcgid child (PR: 51749) + - Resolve crash during graceful restarts (PR: 50309) + - Solve latency/congestion of resolving effective user file access rights + when no such info is desired, for config-related filename stats (PR: 51020) + - Fix regression in 2.3.6 that broke process controls when using + vhost-specific configuration + - Account for first process in class in the spawn score +- Drop patch for CVE-2012-1181, now included in upstream release + +* Sat Mar 31 2012 Remi Collet <RPMS@FamilleCollet.com> 2.3.6-6 +- rebuild httpd 2.4 + +* Tue Mar 27 2012 Paul Howarth <paul@city-fan.org> 2.3.6-6 +- Fix compatibility with httpd 2.4 in F-18/RHEL-7 onwards +- Use /run rather than /var/run from F-15/RHEL-7 onwards + +* Sun Jan 22 2012 Paul Howarth <paul@city-fan.org> 2.3.6-5 +- Fix regression in 2.3.6 that broke process controls when using vhost-specific + configuration (upstream issue 49902, #783742, CVE-2012-1181) + +* Fri Jan 6 2012 Paul Howarth <paul@city-fan.org> 2.3.6-4 +- Nobody else likes macros for commands + +* Tue Feb 8 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 2.3.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 1 2010 Paul Howarth <paul@city-fan.org> 2.3.6-2 +- Add /etc/tmpfiles.d/mod_fcgid.conf for builds on Fedora 15 onwards to + support running with /var/run on tmpfs (#656625) + +* Thu Nov 4 2010 Paul Howarth <paul@city-fan.org> 2.3.6-1 +- Update to 2.3.6 (see CHANGES-FCGID for full details) + - Fix possible stack buffer overwrite (CVE-2010-3872) + - Change the default for FcgidMaxRequestLen from 1GB to 128K; administrators + should change this to an appropriate value based on site requirements + - Correct a problem that resulted in FcgidMaxProcesses being ignored in some + situations + - Return 500 instead of segfaulting when the application returns no output +- Don't include SELinux policy for RHEL-5 builds since RHEL >= 5.5 includes it +- Explicitly require /bin/sed for fixconf script + +* Tue Jun 8 2010 Paul Howarth <paul@city-fan.org> 2.3.5-2 +- SELinux policy module not needed for RHEL-6 onwards + +* Wed Jan 27 2010 Paul Howarth <paul@city-fan.org> 2.3.5-1 +- Update to 2.3.5 (see CHANGES-FCGID for details) +- Drop upstream svn patch + +* Wed Oct 21 2009 Paul Howarth <paul@city-fan.org> 2.3.4-2 +- Add fixes from upstream svn for a number of issues, most notably that the + fixconf script had an error in the regexp, which resulted in a prefix of + "FcgidFcgid" on the updated directives + +* Mon Oct 12 2009 Paul Howarth <paul@city-fan.org> 2.3.4-1 +- Update to 2.3.4 (configuration directives changed again) +- Add fixconf.sed script for config file directives update + +* Fri Sep 25 2009 Paul Howarth <paul@city-fan.org> 2.3.1-2.20090925svn818270 +- Update to svn revision 818270 +- DESTDIR and header detection patches upstreamed +- Build SELinux policy module for EL-5; support in EL-5.3 is incomplete and + will be fixed in EL-5.5 (#519369) +- Drop aliases httpd_sys_content_r{a,o,w}_t -> httpd_fastcgi_content_r{a,o,w}_t + from pre-2.5 SElinux policy module as these types aren't defined there + +* Wed Sep 23 2009 Paul Howarth <paul@city-fan.org> 2.3.1-1.20090923svn817978 +- Update to post-2.3.1 svn snapshot +- Upstream moved to apache.org +- License changed to ASL 2.0 +- Use FCGID-prefixed config file options (old ones deprecated) +- Lots of documentation changes +- Renumber sources +- Don't defer to mod_fastcgi if both are present +- Drop gawk buildreq +- Add patches fixing RPM build issues (DESTDIR support, header detection) + +* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue May 26 2009 Paul Howarth <paul@city-fan.org> 2.2-12 +- Don't use /etc/httpd/run as basis of "run" directory as its DAC permissions + are not permissive enough in F-11 onwards; instead, revert to + /var/run/mod_fcgid and tweak default config accordingly (#502273) + +* Sun May 17 2009 Paul Howarth <paul@city-fan.org> 2.2-11 +- Follow link /etc/httpd/run and make our "run" directory a subdir of wherever + that leads (#501123) + +* Mon Apr 6 2009 Paul Howarth <paul@city-fan.org> 2.2-10 +- EL 5.3 now has SELinux support in the main selinux-policy package so handle + that release as per Fedora >= 8, except that the RHEL selinux-policy package + doesn't Obsolete/Provide mod_fcgid-selinux like the Fedora version, so do + the obsoletion here instead + +* Thu Feb 26 2009 Paul Howarth <paul@city-fan.org> 2.2-9 +- Update documentation for MoinMoin, Rails (#476658), and SELinux + +* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Nov 12 2008 Paul Howarth <paul@city-fan.org> 2.2-7 +- SELinux policy module no longer built for Fedora 8 onwards as it is + obsoleted by the main selinux-policy package +- Conflicts for selinux-policy packages older than the releases where mod_fcgid + policy was incorporated have been added for Fedora 8, 9, and 10 versions, to + ensure that SELinux support will work if installed + +* Tue Oct 21 2008 Paul Howarth <paul@city-fan.org> 2.2-6 +- SELinux policy module rewritten to merge fastcgi and system script domains + in preparation for merge into main selinux-policy package (#462318) +- Try to determine supported SELinux policy types by reading /etc/selinux/config + +* Thu Jul 24 2008 Paul Howarth <paul@city-fan.org> 2.2-5 +- Tweak selinux-policy version detection macro to work with current Rawhide + +* Thu Feb 14 2008 Paul Howarth <paul@city-fan.org> 2.2-4 +- Rebuild with gcc 4.3.0 for Fedora 9 + +* Mon Jan 14 2008 Paul Howarth <paul@city-fan.org> 2.2-3 +- Update SELinux policy to fix occasional failures on restarts + (move shared memory file into /var/run/mod_fcgid directory) + +* Thu Jan 3 2008 Paul Howarth <paul@city-fan.org> 2.2-2 +- Update SELinux policy to support file transition to httpd_tmp_t for + temporary files + +* Fri Sep 14 2007 Paul Howarth <paul@city-fan.org> 2.2-1 +- Update to version 2.2 +- Make sure docs are encoded as UTF-8 + +* Mon Sep 3 2007 Joe Orton <jorton@redhat.com> 2.1-6 +- rebuild for fixed 32-bit APR (#254241) + +* Thu Aug 23 2007 Paul Howarth <paul@city-fan.org> 2.1-5 +- Update source URL to point to downloads.sf.net rather than dl.sf.net +- Upstream released new tarball without changing version number, though the + only change was in arch/win32/fcgid_pm_win.c, which is not used to build the + RPM package +- Clarify license as GPL (unspecified/any version) +- Unexpand tabs in spec +- Add buildreq of gawk + +* Fri Aug 3 2007 Paul Howarth <paul@city-fan.org> 2.1-4 +- Add buildreq of pkgconfig, a missing dependency of both apr-devel and + apr-util-devel on FC5 + +* Fri Jun 15 2007 Paul Howarth <paul@city-fan.org> 2.1-3 +- Major update of SELinux policy, supporting accessing data on NFS/CIFS shares + and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP + servers +- Fix for SELinux policy on Fedora 7, which didn't work due to changes in the + permissions macros in the underlying selinux-policy package + +* Wed Mar 21 2007 Paul Howarth <paul@city-fan.org> 2.1-2 +- Add RHEL5 with SELinux support +- Rename README.Fedora to README.RPM + +* Fri Feb 16 2007 Paul Howarth <paul@city-fan.org> 2.1-1 +- Update to 2.1 +- Update documentation and patches +- Rename some source files to reduce chances of conflicting names +- Include SharememPath directive in conf file to avoid unfortunate upstream + default location + +* Mon Oct 30 2006 Paul Howarth <paul@city-fan.org> 2.0-1 +- Update to 2.0 +- Source is now hosted at sourceforge.net +- Update docs + +* Wed Sep 6 2006 Paul Howarth <paul@city-fan.org> 1.10-7 +- Include the right README* files + +* Tue Aug 29 2006 Paul Howarth <paul@city-fan.org> 1.10-6 +- Buildreqs for FC5 now identical to buildreqs for FC6 onwards + +* Fri Jul 28 2006 Paul Howarth <paul@city-fan.org> 1.10-5 +- Split off SELinux module into separate subpackage to avoid dependency on + the selinux-policy package for the main package + +* Fri Jul 28 2006 Paul Howarth <paul@city-fan.org> 1.10-4 +- SELinux policy packages moved from %%{_datadir}/selinux/packages/POLICYNAME + to %%{_datadir}/selinux/POLICYNAME +- hardlink identical policy module packages together to avoid duplicate files + +* Thu Jul 20 2006 Paul Howarth <paul@city-fan.org> 1.10-3 +- Adjust buildreqs for FC6 onwards +- Figure out where top_dir is dynamically since the /etc/httpd/build + symlink is gone in FC6 + +* Wed Jul 5 2006 Paul Howarth <paul@city-fan.org> 1.10-2 +- SELinux policy update: allow FastCGI apps to do DNS lookups + +* Tue Jul 4 2006 Paul Howarth <paul@city-fan.org> 1.10-1 +- Update to 1.10 +- Expand tabs to shut rpmlint up + +* Tue Jul 4 2006 Paul Howarth <paul@city-fan.org> 1.09-10 +- SELinux policy update: + * allow httpd to read httpd_fastcgi_content_t without having the + | httpd_builtin_scripting boolean set + * allow httpd_fastcgi_script_t to read /etc/resolv.conf without + | having the httpd_can_network_connect boolean set + +* Sun Jun 18 2006 Paul Howarth <paul@city-fan.org> 1.09-9 +- Discard output of semodule in %%postun +- Include some documentation from upstream + +* Fri Jun 9 2006 Paul Howarth <paul@city-fan.org> 1.09-8 +- Change default context type for socket directory from var_run_t to + httpd_fastcgi_sock_t for better separation + +* Thu Jun 8 2006 Paul Howarth <paul@city-fan.org> 1.09-7 +- Add SELinux policy module and README.Fedora +- Conflict with selinux-policy versions older than what we're built on + +* Mon May 15 2006 Paul Howarth <paul@city-fan.org> 1.09-6 +- Instead of conflicting with mod_fastcgi, don't add the handler for .fcg etc. + if mod_fastcgi is present + +* Fri May 12 2006 Paul Howarth <paul@city-fan.org> 1.09-5 +- Use correct handler name in fcgid.conf +- Conflict with mod_fastcgi +- Create directory %%{_localstatedir}/run/mod_fcgid for sockets + +* Thu May 11 2006 Paul Howarth <paul@city-fan.org> 1.09-4 +- Cosmetic tweaks (personal preferences) +- Don't include INSTALL.TXT, nothing of use to end users + +* Wed May 10 2006 Thomas Antony <thomas@antony.eu> 1.09-3 +- Initial release |