summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile4
-rw-r--r--fastcgi-2.5.te63
-rw-r--r--fastcgi.fc1
-rw-r--r--fastcgi.te71
-rw-r--r--fcgid.conf14
-rw-r--r--fcgid24.conf12
-rw-r--r--mod_fcgid-2.1-README.RPM75
-rw-r--r--mod_fcgid-2.1-README.SELinux63
-rw-r--r--mod_fcgid-2.3.4-fixconf-shellbang.patch8
-rw-r--r--mod_fcgid-tmpfs.conf1
-rw-r--r--mod_fcgid.spec472
11 files changed, 784 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..1e65467
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,4 @@
+SRCDIR := $(shell pwd)
+NAME := $(shell basename $(SRCDIR))
+include ../common/Makefile
+
diff --git a/fastcgi-2.5.te b/fastcgi-2.5.te
new file mode 100644
index 0000000..c691308
--- /dev/null
+++ b/fastcgi-2.5.te
@@ -0,0 +1,63 @@
+# This policy module provides support for mod_fcgid using the httpd system script domain.
+# It provides "allow" rules that will overlap to varying degrees with selinux-policy
+# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
+# as updates for selinux-policy in Fedora 8, 9, and 10.
+#
+# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy
+#
+# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
+# which is now an alias for httpd_sys_script_t.
+
+policy_module(fastcgi, 0.2.6)
+
+require {
+ type devpts_t;
+ type httpd_t;
+ type httpd_log_t;
+ type httpd_sys_content_t;
+ type httpd_sys_content_ra_t;
+ type httpd_sys_content_ro_t;
+ type httpd_sys_content_rw_t;
+ type httpd_sys_script_exec_t;
+ type httpd_sys_script_ra_t;
+ type httpd_sys_script_ro_t;
+ type httpd_sys_script_rw_t;
+ type httpd_sys_script_t;
+ type httpd_tmp_t;
+ type httpd_var_run_t;
+};
+
+# Type aliases for contexts used with older policy modules
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
+typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t;
+typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t;
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
+# ==========================================================
+# Re-use httpd_sys_script_t for mod_fcgid apps
+# ==========================================================
+
+# Allow web applications to call getpw* functions
+auth_use_nsswitch(httpd_sys_script_t)
+
+# Allow httpd to create and use files and sockets for communicating with mod_fcgid
+# Rules to do this are already in selinux-policy apart from dir setattr
+setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
+
+# Allow FastCGI applications to listen for FastCGI requests on their
+# sockets and respond to them
+allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
+
+# These are probably leaked file descriptors
+dontaudit httpd_t devpts_t:chr_file ioctl;
+dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
+
+# PHP uploads a file to /tmp and then execs programs to action them
+# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans
+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
diff --git a/fastcgi.fc b/fastcgi.fc
new file mode 100644
index 0000000..2006d97
--- /dev/null
+++ b/fastcgi.fc
@@ -0,0 +1 @@
+/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/fastcgi.te b/fastcgi.te
new file mode 100644
index 0000000..373d920
--- /dev/null
+++ b/fastcgi.te
@@ -0,0 +1,71 @@
+# This policy module provides support for mod_fcgid using the httpd system script domain.
+# It provides "allow" rules that will overlap to varying degrees with selinux-policy
+# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included
+# as updates for selinux-policy in Fedora 8, 9, and 10.
+#
+# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy
+#
+# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t,
+# which is now an alias for httpd_sys_script_t.
+
+policy_module(fastcgi, 0.1.11)
+
+require {
+ type devpts_t;
+ type httpd_t;
+ type httpd_log_t;
+ type httpd_sys_content_t;
+ type httpd_sys_script_exec_t;
+ type httpd_sys_script_ra_t;
+ type httpd_sys_script_ro_t;
+ type httpd_sys_script_rw_t;
+ type httpd_sys_script_t;
+ type httpd_tmp_t;
+ type httpd_var_run_t;
+};
+
+# Type aliases for contexts used with older policy modules
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
+# ==========================================================
+# Re-use httpd_sys_script_t for mod_fcgid apps
+# ==========================================================
+
+# Allow web applications to call getpw* functions
+auth_use_nsswitch(httpd_sys_script_t)
+
+# Allow httpd to create and use files and sockets for communicating with mod_fcgid
+# Rules to do this are already in selinux-policy apart from dir setattr
+allow httpd_t httpd_var_run_t:dir setattr;
+
+# Allow FastCGI applications to listen for FastCGI requests on their
+# sockets and respond to them
+allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
+
+# These are probably leaked file descriptors
+dontaudit httpd_t devpts_t:chr_file ioctl;
+dontaudit httpd_sys_script_t httpd_log_t:file ioctl;
+
+# Search automount filesystem to use automatically mounted filesystems
+fs_search_auto_mountpoints(httpd_sys_script_t)
+
+# PHP uploads a file to /tmp and then execs programs to action them
+allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms;
+allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms;
+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
+
+# Support network home directories
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
+')
diff --git a/fcgid.conf b/fcgid.conf
new file mode 100644
index 0000000..90f208e
--- /dev/null
+++ b/fcgid.conf
@@ -0,0 +1,14 @@
+# This is the Apache server configuration file for providing FastCGI support
+# through mod_fcgid
+#
+# Documentation is available at
+# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
+
+LoadModule fcgid_module modules/mod_fcgid.so
+
+# Use FastCGI to process .fcg .fcgi & .fpl scripts
+AddHandler fcgid-script fcg fcgi fpl
+
+# Sane place to put sockets and shared memory file
+FcgidIPCDir /var/run/mod_fcgid
+FcgidProcessTableFile /var/run/mod_fcgid/fcgid_shm
diff --git a/fcgid24.conf b/fcgid24.conf
new file mode 100644
index 0000000..2e7d486
--- /dev/null
+++ b/fcgid24.conf
@@ -0,0 +1,12 @@
+# This is the Apache server configuration file for providing FastCGI support
+# through mod_fcgid
+#
+# Documentation is available at
+# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
+
+# Use FastCGI to process .fcg .fcgi & .fpl scripts
+AddHandler fcgid-script fcg fcgi fpl
+
+# Sane place to put sockets and shared memory file
+FcgidIPCDir /run/mod_fcgid
+FcgidProcessTableFile /run/mod_fcgid/fcgid_shm
diff --git a/mod_fcgid-2.1-README.RPM b/mod_fcgid-2.1-README.RPM
new file mode 100644
index 0000000..89165c5
--- /dev/null
+++ b/mod_fcgid-2.1-README.RPM
@@ -0,0 +1,75 @@
+Using the mod_fcgid RPM Package
+===============================
+
+This mod_fcgid package includes a configuration file
+/etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and
+added as the handler for .fcg, .fcgi, and .fpl applications.
+
+Example: setting up moin with mod_fcgid
+=======================================
+
+Setting up moin with mod_fcgid is very similar to setting it up as a regular
+CGI application.
+
+ * Create a directory for your wiki instance:
+
+ DESTDIR=/var/www/mywiki
+ mkdir -p $DESTDIR/cgi-bin
+
+ * Copy in the wiki template data and the application itself:
+
+ cp -a /usr/share/moin/{data,underlay} $DESTDIR
+ cp -a /usr/share/moin/server/moin.fcg $DESTDIR/cgi-bin
+ cp -a /usr/share/moin/config/wikiconfig.py $DESTDIR/cgi-bin
+
+ * Fix the directory ownership
+
+ chown -R apache:apache $DESTDIR/{data,underlay}
+
+ * Edit $DESTDIR/cgi-bin/wikiconfig.py to suit your needs
+
+ * Create a httpd configuration file for the wiki, e.g.
+ /etc/httpd/conf.d/mywiki.conf
+
+ # Wiki application data common to all wiki instances
+ Alias /moin_static185 "/usr/share/moin/htdocs/"
+ <Directory "/usr/share/moin/htdocs/">
+ Options Indexes FollowSymLinks
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+ <IfModule mod_expires.c>
+ ExpiresActive On
+ ExpiresDefault "access plus 1 year"
+ </IfModule>
+ </Directory>
+
+ # Wiki instance with mod_fcgid
+ <IfModule mod_fcgid.c>
+ ScriptAlias /mywiki "/var/www/mywiki/cgi-bin/moin.fcg"
+ <Directory "/var/www/mywiki/cgi-bin/">
+ Options Indexes FollowSymLinks ExecCGI
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+ </Directory>
+ </IfModule>
+
+ * Restart the web server to load the new configuration:
+
+ service httpd restart
+
+That should do it!
+
+Ruby on Rails with mod_fcgid
+============================
+
+One of the differences between mod_fastcgi and mod_fcgid is that the former
+sets the SCRIPT_NAME environment variable whilst the latter does not, and it's
+reported (http://bugzilla.redhat.com/476658) that Ruby on Rails expects this
+environment variable to be present. A workaround for this is to add:
+
+ActionController::AbstractRequest.relative_url_root = ""
+
+to the Rails::Initializer.run segment of config/environment.rb
+
diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux
new file mode 100644
index 0000000..981cf59
--- /dev/null
+++ b/mod_fcgid-2.1-README.SELinux
@@ -0,0 +1,63 @@
+Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
+==============================================================
+
+Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
+policy module to support FastCGI applications. Later Fedora releases and Red
+Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
+package and do not require the separate module.
+
+The module source (fastcgi.{fc,te}) is included for reference as documentation
+in the package.
+
+The module uses the same set of SELinux types for FastCGI applications as for
+regular CGI scripts (or "system scripts" as they are known in SELinux), as
+described in "man httpd_selinux".
+
+ * httpd_sys_content_t
+ - Set files with httpd_sys_content_t for content that is available
+ from all FastCGI scripts and the daemon.
+
+ * httpd_sys_script_exec_t
+ - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
+ with access to all system script types.
+
+ * httpd_sys_script_ro_t
+ - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
+ scripts to read but not write the data, and disallow other processes from
+ access.
+
+ * httpd_sys_script_rw_t
+ - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
+ scripts to read/write the data, and disallow other processes from access.
+
+ * httpd_sys_script_ra_t
+ - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
+ scripts to read/append to the file, and disallow other processes from
+ access.
+
+So for the moin wiki layout described in README.RPM of the main mod_fcgid
+package, the contexts would be set as follows:
+
+ cd /var/www/mywiki
+ chcon -t httpd_sys_content_t .
+ chcon -R -t httpd_sys_script_exec_t cgi-bin
+ chcon -R -t httpd_sys_script_rw_t data underlay
+
+It is necessary to turn on the httpd_enable_cgi boolean to run either regular
+or FastCGI scripts:
+
+ setsebool -P httpd_enable_cgi 1
+
+The httpd_can_sendmail boolean is used to specify whether any of your
+web applications can make outbound SMTP connections (e.g. moin sending
+notifications). By default it is off, but can be enabled as follows:
+
+ setsebool -P httpd_can_sendmail 1
+
+Only enable this functionality if you actually need it, since it increases the
+chances that any vulnerability in any of your web applications could be
+exploited by a spammer.
+
+If you have any questions or issues regarding FastCGI and SELinux, please don't
+hesitate to bring them up on fedora-selinux-list.
+
diff --git a/mod_fcgid-2.3.4-fixconf-shellbang.patch b/mod_fcgid-2.3.4-fixconf-shellbang.patch
new file mode 100644
index 0000000..ea5fb50
--- /dev/null
+++ b/mod_fcgid-2.3.4-fixconf-shellbang.patch
@@ -0,0 +1,8 @@
+--- mod_fcgid-2.3.4/build/fixconf.sed 2009-10-07 04:16:08.000000000 +0100
++++ mod_fcgid-2.3.4/build/fixconf.sed 2009-10-12 09:50:14.570448865 +0100
+@@ -1,4 +1,4 @@
+-#!/usr/bin/sed -f
++#!/bin/sed -f
+ #
+ # Licensed to the Apache Software Foundation (ASF) under one or more
+ # contributor license agreements. See the NOTICE file distributed with
diff --git a/mod_fcgid-tmpfs.conf b/mod_fcgid-tmpfs.conf
new file mode 100644
index 0000000..02e7d08
--- /dev/null
+++ b/mod_fcgid-tmpfs.conf
@@ -0,0 +1 @@
+d /run/mod_fcgid - apache apache
diff --git a/mod_fcgid.spec b/mod_fcgid.spec
new file mode 100644
index 0000000..e648bac
--- /dev/null
+++ b/mod_fcgid.spec
@@ -0,0 +1,472 @@
+# Fedora 5, 6, and 7 versions includes SELinux policy module package
+# Fedora 8 and 9 versions include policy in errata selinux-policy releases
+# Fedora 10 onwards include policy in standard selinux-policy releases
+# RHEL 5.5 onwards include policy in standard selinux-policy releases
+%if 0%{?fedora} < 5 || 0%{?fedora} > 7 || 0%{?rhel}
+%global selinux_module 0
+%global selinux_types %{nil}
+%global selinux_variants %{nil}
+%global selinux_buildreqs %{nil}
+%else
+%global selinux_module 1
+%global selinux_types %(awk '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null)
+%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types})
+%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
+%endif
+
+# apxs script location
+%{!?_httpd_apxs: %global _httpd_apxs %{_sbindir}/apxs}
+
+# Module Magic Number
+%{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo missing-httpd-devel)}
+
+# Configuration directory
+%{!?_httpd_confdir: %global _httpd_confdir %{_sysconfdir}/httpd/conf.d}
+
+# For httpd ≥ 2.4 we have a different filesystem layout
+%if 0%{?fedora} > 17 || 0%{?rhel} > 6
+%global httpd24 1
+%global rundir /run
+%else
+%global httpd24 1
+%global rundir %{_localstatedir}/run
+%endif
+
+Name: mod_fcgid
+Version: 2.3.7
+Release: 3%{?dist}
+Summary: FastCGI interface module for Apache 2
+Group: System Environment/Daemons
+License: ASL 2.0
+URL: http://httpd.apache.org/mod_fcgid/
+Source0: http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2
+Source1: fcgid.conf
+Source2: mod_fcgid-2.1-README.RPM
+Source3: mod_fcgid-2.1-README.SELinux
+Source4: mod_fcgid-tmpfs.conf
+Source5: fcgid24.conf
+Source10: fastcgi.te
+Source11: fastcgi-2.5.te
+Source12: fastcgi.fc
+Patch0: mod_fcgid-2.3.4-fixconf-shellbang.patch
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
+BuildRequires: httpd-devel >= 2.0, pkgconfig
+Requires: httpd-mmn = %{_httpd_mmn}
+# sed required for fixconf script
+Requires: /bin/sed
+# systemd-units needed for ownership of /etc/tmpfiles.d directory
+%if 0%{?fedora} > 14 || 0%{?rhel} > 6
+Requires: systemd-units
+%endif
+# Make sure that selinux-policy is sufficiently up-to-date if it's installed
+# FastCGI policy properly incorporated into EL 5.5
+%if "%{?rhel}" == "5"
+Conflicts: selinux-policy < 2.4.6-279.el5
+# No provide here because selinux-policy >= 2.4.6-279.el5 does the providing
+Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
+%endif
+%if "%{?fedora}" == "8"
+Conflicts: selinux-policy < 3.0.8-123.fc8
+%endif
+%if "%{?fedora}" == "9"
+Conflicts: selinux-policy < 3.3.1-107.fc9
+%endif
+%if "%{?fedora}" == "10"
+Conflicts: selinux-policy < 3.5.13-8.fc10
+%endif
+
+%description
+mod_fcgid is a binary-compatible alternative to the Apache module mod_fastcgi.
+mod_fcgid has a new process management strategy, which concentrates on reducing
+the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon
+as possible.
+
+%if %{selinux_module}
+%global selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp || echo 0.0.0)
+%global selinux_policynum %(echo %{selinux_policyver} | awk -F. '{ printf "%d%02d%02d", $1, $2, $3 }')
+%package selinux
+Summary: SELinux policy module supporting FastCGI applications with mod_fcgid
+Group: System Environment/Base
+BuildRequires: %{selinux_buildreqs}
+# selinux-policy is required for directory ownership of %%{_datadir}/selinux/*
+# Modules built against one version of a policy may not work with older policy
+# versions, as noted on fedora-selinux-list:
+# http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00102.html
+# Hence the versioned dependency. The versioning will hopefully be replaced by
+# an ABI version requirement or something similar in the future
+Requires: selinux-policy >= %{selinux_policyver}
+Requires: %{name} = %{version}-%{release}
+Requires(post): /usr/sbin/semodule, /sbin/restorecon
+Requires(postun): /usr/sbin/semodule, /sbin/restorecon
+
+%description selinux
+SELinux policy module supporting FastCGI applications with mod_fcgid.
+%endif
+
+%prep
+%setup -q
+cp -p %{SOURCE1} fcgid.conf
+cp -p %{SOURCE2} README.RPM
+cp -p %{SOURCE3} README.SELinux
+cp -p %{SOURCE5} fcgid24.conf
+%if 0%{?selinux_policynum} < 20501
+cp -p %{SOURCE10} fastcgi.te
+%else
+cp -p %{SOURCE11} fastcgi.te
+%endif
+cp -p %{SOURCE12} fastcgi.fc
+
+# Fix shellbang in fixconf script for our location of sed
+%patch0 -p1
+
+%build
+APXS=%{_httpd_apxs} ./configure.apxs
+make
+%if %{selinux_module}
+for selinuxvariant in %{selinux_variants}
+do
+ make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+ mv fastcgi.pp fastcgi.pp.${selinuxvariant}
+ make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+%endif
+
+%install
+rm -rf %{buildroot}
+make DESTDIR=%{buildroot} MKINSTALLDIRS="mkdir -p" install
+%if %{httpd24}
+mkdir -p %{buildroot}{%{_httpd_confdir},%{_httpd_modconfdir}}
+echo "LoadModule fcgid_module modules/mod_fcgid.so" > %{buildroot}%{_httpd_modconfdir}/10-fcgid.conf
+install -D -m 644 fcgid24.conf %{buildroot}%{_httpd_confdir}/fcgid.conf
+%else
+install -D -m 644 fcgid.conf %{buildroot}%{_httpd_confdir}/fcgid.conf
+%endif
+install -d -m 755 %{buildroot}%{rundir}/mod_fcgid
+
+# Include the manual as %%doc, don't need it elsewhere
+%if %{httpd24}
+rm -rf %{buildroot}%{_httpd_contentdir}/manual
+%else
+rm -rf %{buildroot}%{_var}/www/manual
+%endif
+
+# Make sure %%{rundir}/mod_fcgid exists at boot time for systems
+# with %%{rundir} on tmpfs (#656625)
+%if 0%{?fedora} > 14 || 0%{?rhel} > 6
+install -d -m 755 %{buildroot}%{_sysconfdir}/tmpfiles.d
+install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/tmpfiles.d/mod_fcgid.conf
+%endif
+
+# Install SELinux policy modules
+%if %{selinux_module}
+for selinuxvariant in %{selinux_variants}
+do
+ install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+ install -p -m 644 fastcgi.pp.${selinuxvariant} \
+ %{buildroot}%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp
+done
+# Hardlink identical policy module packages together
+hardlink -cv %{buildroot}%{_datadir}/selinux
+%endif
+
+%clean
+rm -rf %{buildroot}
+
+%if %{selinux_module}
+%post selinux
+# Install SELinux policy modules
+for selinuxvariant in %{selinux_variants}
+do
+ /usr/sbin/semodule -s ${selinuxvariant} -i \
+ %{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || :
+done
+# Fix up non-standard directory context from earlier packages
+/sbin/restorecon -R %{rundir}/mod_fcgid || :
+
+%postun selinux
+# Clean up after package removal
+if [ $1 -eq 0 ]; then
+ # Remove SELinux policy modules
+ for selinuxvariant in %{selinux_variants}; do
+ /usr/sbin/semodule -s ${selinuxvariant} -r fastcgi &> /dev/null || :
+ done
+ # Clean up any remaining file contexts (shouldn't be any really)
+ [ -d %{rundir}/mod_fcgid ] && \
+ /sbin/restorecon -R %{rundir}/mod_fcgid &> /dev/null || :
+fi
+exit 0
+%endif
+
+%files
+%defattr(-,root,root,-)
+# mod_fcgid.html.en is explicitly encoded as ISO-8859-1
+%doc CHANGES-FCGID LICENSE-FCGID NOTICE-FCGID README-FCGID STATUS-FCGID
+%doc docs/manual/mod/mod_fcgid.html.en modules/fcgid/ChangeLog
+%doc build/fixconf.sed
+%{_libdir}/httpd/modules/mod_fcgid.so
+%if %{httpd24}
+%config(noreplace) %{_httpd_modconfdir}/10-fcgid.conf
+%endif
+%config(noreplace) %{_httpd_confdir}/fcgid.conf
+%if 0%{?fedora} > 14 || 0%{?rhel} > 6
+%{_sysconfdir}/tmpfiles.d/mod_fcgid.conf
+%endif
+%dir %attr(0755,apache,apache) %{rundir}/mod_fcgid/
+
+%if %{selinux_module}
+%files selinux
+%defattr(-,root,root,-)
+%doc fastcgi.fc fastcgi.te README.SELinux
+%{_datadir}/selinux/*/fastcgi.pp
+%endif
+
+%changelog
+* Wed May 2 2012 Remi Collet <RPMS@FamilleCollet.com> 2.3.7-3
+- sync with rawhide, rebuild for remi repo
+
+* Wed May 2 2012 Paul Howarth <paul@city-fan.org> 2.3.7-3
+- Make %%files list more explicit
+
+* Wed May 2 2012 Joe Orton <jorton@redhat.com> 2.3.7-2
+- Use 10- prefix for conf file in conf.modules.d with httpd ≥ 2.4
+- Use _httpd_confdir throughout
+
+* Tue Apr 24 2012 Remi Collet <RPMS@FamilleCollet.com> 2.3.7-1
+- update to 2.3.7, rebuild for remi repo
+
+* Mon Apr 23 2012 Paul Howarth <paul@city-fan.org> 2.3.7-1
+- Update to 2.3.7
+ - Introduce FcgidWin32PreventOrphans directive on Windows to use OS Job
+ Control Objects to terminate all running fcgi's when the worker process
+ has been abruptly terminated (PR: 51078)
+ - Periodically clean out the brigades that are pulling in the request body
+ for handoff to the fcgid child (PR: 51749)
+ - Resolve crash during graceful restarts (PR: 50309)
+ - Solve latency/congestion of resolving effective user file access rights
+ when no such info is desired, for config-related filename stats (PR: 51020)
+ - Fix regression in 2.3.6 that broke process controls when using
+ vhost-specific configuration
+ - Account for first process in class in the spawn score
+- Drop patch for CVE-2012-1181, now included in upstream release
+
+* Sat Mar 31 2012 Remi Collet <RPMS@FamilleCollet.com> 2.3.6-6
+- rebuild httpd 2.4
+
+* Tue Mar 27 2012 Paul Howarth <paul@city-fan.org> 2.3.6-6
+- Fix compatibility with httpd 2.4 in F-18/RHEL-7 onwards
+- Use /run rather than /var/run from F-15/RHEL-7 onwards
+
+* Sun Jan 22 2012 Paul Howarth <paul@city-fan.org> 2.3.6-5
+- Fix regression in 2.3.6 that broke process controls when using vhost-specific
+ configuration (upstream issue 49902, #783742, CVE-2012-1181)
+
+* Fri Jan 6 2012 Paul Howarth <paul@city-fan.org> 2.3.6-4
+- Nobody else likes macros for commands
+
+* Tue Feb 8 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 2.3.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Dec 1 2010 Paul Howarth <paul@city-fan.org> 2.3.6-2
+- Add /etc/tmpfiles.d/mod_fcgid.conf for builds on Fedora 15 onwards to
+ support running with /var/run on tmpfs (#656625)
+
+* Thu Nov 4 2010 Paul Howarth <paul@city-fan.org> 2.3.6-1
+- Update to 2.3.6 (see CHANGES-FCGID for full details)
+ - Fix possible stack buffer overwrite (CVE-2010-3872)
+ - Change the default for FcgidMaxRequestLen from 1GB to 128K; administrators
+ should change this to an appropriate value based on site requirements
+ - Correct a problem that resulted in FcgidMaxProcesses being ignored in some
+ situations
+ - Return 500 instead of segfaulting when the application returns no output
+- Don't include SELinux policy for RHEL-5 builds since RHEL >= 5.5 includes it
+- Explicitly require /bin/sed for fixconf script
+
+* Tue Jun 8 2010 Paul Howarth <paul@city-fan.org> 2.3.5-2
+- SELinux policy module not needed for RHEL-6 onwards
+
+* Wed Jan 27 2010 Paul Howarth <paul@city-fan.org> 2.3.5-1
+- Update to 2.3.5 (see CHANGES-FCGID for details)
+- Drop upstream svn patch
+
+* Wed Oct 21 2009 Paul Howarth <paul@city-fan.org> 2.3.4-2
+- Add fixes from upstream svn for a number of issues, most notably that the
+ fixconf script had an error in the regexp, which resulted in a prefix of
+ "FcgidFcgid" on the updated directives
+
+* Mon Oct 12 2009 Paul Howarth <paul@city-fan.org> 2.3.4-1
+- Update to 2.3.4 (configuration directives changed again)
+- Add fixconf.sed script for config file directives update
+
+* Fri Sep 25 2009 Paul Howarth <paul@city-fan.org> 2.3.1-2.20090925svn818270
+- Update to svn revision 818270
+- DESTDIR and header detection patches upstreamed
+- Build SELinux policy module for EL-5; support in EL-5.3 is incomplete and
+ will be fixed in EL-5.5 (#519369)
+- Drop aliases httpd_sys_content_r{a,o,w}_t -> httpd_fastcgi_content_r{a,o,w}_t
+ from pre-2.5 SElinux policy module as these types aren't defined there
+
+* Wed Sep 23 2009 Paul Howarth <paul@city-fan.org> 2.3.1-1.20090923svn817978
+- Update to post-2.3.1 svn snapshot
+- Upstream moved to apache.org
+- License changed to ASL 2.0
+- Use FCGID-prefixed config file options (old ones deprecated)
+- Lots of documentation changes
+- Renumber sources
+- Don't defer to mod_fastcgi if both are present
+- Drop gawk buildreq
+- Add patches fixing RPM build issues (DESTDIR support, header detection)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Tue May 26 2009 Paul Howarth <paul@city-fan.org> 2.2-12
+- Don't use /etc/httpd/run as basis of "run" directory as its DAC permissions
+ are not permissive enough in F-11 onwards; instead, revert to
+ /var/run/mod_fcgid and tweak default config accordingly (#502273)
+
+* Sun May 17 2009 Paul Howarth <paul@city-fan.org> 2.2-11
+- Follow link /etc/httpd/run and make our "run" directory a subdir of wherever
+ that leads (#501123)
+
+* Mon Apr 6 2009 Paul Howarth <paul@city-fan.org> 2.2-10
+- EL 5.3 now has SELinux support in the main selinux-policy package so handle
+ that release as per Fedora >= 8, except that the RHEL selinux-policy package
+ doesn't Obsolete/Provide mod_fcgid-selinux like the Fedora version, so do
+ the obsoletion here instead
+
+* Thu Feb 26 2009 Paul Howarth <paul@city-fan.org> 2.2-9
+- Update documentation for MoinMoin, Rails (#476658), and SELinux
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Wed Nov 12 2008 Paul Howarth <paul@city-fan.org> 2.2-7
+- SELinux policy module no longer built for Fedora 8 onwards as it is
+ obsoleted by the main selinux-policy package
+- Conflicts for selinux-policy packages older than the releases where mod_fcgid
+ policy was incorporated have been added for Fedora 8, 9, and 10 versions, to
+ ensure that SELinux support will work if installed
+
+* Tue Oct 21 2008 Paul Howarth <paul@city-fan.org> 2.2-6
+- SELinux policy module rewritten to merge fastcgi and system script domains
+ in preparation for merge into main selinux-policy package (#462318)
+- Try to determine supported SELinux policy types by reading /etc/selinux/config
+
+* Thu Jul 24 2008 Paul Howarth <paul@city-fan.org> 2.2-5
+- Tweak selinux-policy version detection macro to work with current Rawhide
+
+* Thu Feb 14 2008 Paul Howarth <paul@city-fan.org> 2.2-4
+- Rebuild with gcc 4.3.0 for Fedora 9
+
+* Mon Jan 14 2008 Paul Howarth <paul@city-fan.org> 2.2-3
+- Update SELinux policy to fix occasional failures on restarts
+ (move shared memory file into /var/run/mod_fcgid directory)
+
+* Thu Jan 3 2008 Paul Howarth <paul@city-fan.org> 2.2-2
+- Update SELinux policy to support file transition to httpd_tmp_t for
+ temporary files
+
+* Fri Sep 14 2007 Paul Howarth <paul@city-fan.org> 2.2-1
+- Update to version 2.2
+- Make sure docs are encoded as UTF-8
+
+* Mon Sep 3 2007 Joe Orton <jorton@redhat.com> 2.1-6
+- rebuild for fixed 32-bit APR (#254241)
+
+* Thu Aug 23 2007 Paul Howarth <paul@city-fan.org> 2.1-5
+- Update source URL to point to downloads.sf.net rather than dl.sf.net
+- Upstream released new tarball without changing version number, though the
+ only change was in arch/win32/fcgid_pm_win.c, which is not used to build the
+ RPM package
+- Clarify license as GPL (unspecified/any version)
+- Unexpand tabs in spec
+- Add buildreq of gawk
+
+* Fri Aug 3 2007 Paul Howarth <paul@city-fan.org> 2.1-4
+- Add buildreq of pkgconfig, a missing dependency of both apr-devel and
+ apr-util-devel on FC5
+
+* Fri Jun 15 2007 Paul Howarth <paul@city-fan.org> 2.1-3
+- Major update of SELinux policy, supporting accessing data on NFS/CIFS shares
+ and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP
+ servers
+- Fix for SELinux policy on Fedora 7, which didn't work due to changes in the
+ permissions macros in the underlying selinux-policy package
+
+* Wed Mar 21 2007 Paul Howarth <paul@city-fan.org> 2.1-2
+- Add RHEL5 with SELinux support
+- Rename README.Fedora to README.RPM
+
+* Fri Feb 16 2007 Paul Howarth <paul@city-fan.org> 2.1-1
+- Update to 2.1
+- Update documentation and patches
+- Rename some source files to reduce chances of conflicting names
+- Include SharememPath directive in conf file to avoid unfortunate upstream
+ default location
+
+* Mon Oct 30 2006 Paul Howarth <paul@city-fan.org> 2.0-1
+- Update to 2.0
+- Source is now hosted at sourceforge.net
+- Update docs
+
+* Wed Sep 6 2006 Paul Howarth <paul@city-fan.org> 1.10-7
+- Include the right README* files
+
+* Tue Aug 29 2006 Paul Howarth <paul@city-fan.org> 1.10-6
+- Buildreqs for FC5 now identical to buildreqs for FC6 onwards
+
+* Fri Jul 28 2006 Paul Howarth <paul@city-fan.org> 1.10-5
+- Split off SELinux module into separate subpackage to avoid dependency on
+ the selinux-policy package for the main package
+
+* Fri Jul 28 2006 Paul Howarth <paul@city-fan.org> 1.10-4
+- SELinux policy packages moved from %%{_datadir}/selinux/packages/POLICYNAME
+ to %%{_datadir}/selinux/POLICYNAME
+- hardlink identical policy module packages together to avoid duplicate files
+
+* Thu Jul 20 2006 Paul Howarth <paul@city-fan.org> 1.10-3
+- Adjust buildreqs for FC6 onwards
+- Figure out where top_dir is dynamically since the /etc/httpd/build
+ symlink is gone in FC6
+
+* Wed Jul 5 2006 Paul Howarth <paul@city-fan.org> 1.10-2
+- SELinux policy update: allow FastCGI apps to do DNS lookups
+
+* Tue Jul 4 2006 Paul Howarth <paul@city-fan.org> 1.10-1
+- Update to 1.10
+- Expand tabs to shut rpmlint up
+
+* Tue Jul 4 2006 Paul Howarth <paul@city-fan.org> 1.09-10
+- SELinux policy update:
+ * allow httpd to read httpd_fastcgi_content_t without having the
+ | httpd_builtin_scripting boolean set
+ * allow httpd_fastcgi_script_t to read /etc/resolv.conf without
+ | having the httpd_can_network_connect boolean set
+
+* Sun Jun 18 2006 Paul Howarth <paul@city-fan.org> 1.09-9
+- Discard output of semodule in %%postun
+- Include some documentation from upstream
+
+* Fri Jun 9 2006 Paul Howarth <paul@city-fan.org> 1.09-8
+- Change default context type for socket directory from var_run_t to
+ httpd_fastcgi_sock_t for better separation
+
+* Thu Jun 8 2006 Paul Howarth <paul@city-fan.org> 1.09-7
+- Add SELinux policy module and README.Fedora
+- Conflict with selinux-policy versions older than what we're built on
+
+* Mon May 15 2006 Paul Howarth <paul@city-fan.org> 1.09-6
+- Instead of conflicting with mod_fastcgi, don't add the handler for .fcg etc.
+ if mod_fastcgi is present
+
+* Fri May 12 2006 Paul Howarth <paul@city-fan.org> 1.09-5
+- Use correct handler name in fcgid.conf
+- Conflict with mod_fastcgi
+- Create directory %%{_localstatedir}/run/mod_fcgid for sockets
+
+* Thu May 11 2006 Paul Howarth <paul@city-fan.org> 1.09-4
+- Cosmetic tweaks (personal preferences)
+- Don't include INSTALL.TXT, nothing of use to end users
+
+* Wed May 10 2006 Thomas Antony <thomas@antony.eu> 1.09-3
+- Initial release