path: root/mod_fcgid-2.1-README.SELinux
diff options
Diffstat (limited to 'mod_fcgid-2.1-README.SELinux')
1 files changed, 63 insertions, 0 deletions
diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux
new file mode 100644
index 0000000..981cf59
--- /dev/null
+++ b/mod_fcgid-2.1-README.SELinux
@@ -0,0 +1,63 @@
+Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
+Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
+policy module to support FastCGI applications. Later Fedora releases and Red
+Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
+package and do not require the separate module.
+The module source (fastcgi.{fc,te}) is included for reference as documentation
+in the package.
+The module uses the same set of SELinux types for FastCGI applications as for
+regular CGI scripts (or "system scripts" as they are known in SELinux), as
+described in "man httpd_selinux".
+ * httpd_sys_content_t
+ - Set files with httpd_sys_content_t for content that is available
+ from all FastCGI scripts and the daemon.
+ * httpd_sys_script_exec_t
+ - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
+ with access to all system script types.
+ * httpd_sys_script_ro_t
+ - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
+ scripts to read but not write the data, and disallow other processes from
+ access.
+ * httpd_sys_script_rw_t
+ - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
+ scripts to read/write the data, and disallow other processes from access.
+ * httpd_sys_script_ra_t
+ - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
+ scripts to read/append to the file, and disallow other processes from
+ access.
+So for the moin wiki layout described in README.RPM of the main mod_fcgid
+package, the contexts would be set as follows:
+ cd /var/www/mywiki
+ chcon -t httpd_sys_content_t .
+ chcon -R -t httpd_sys_script_exec_t cgi-bin
+ chcon -R -t httpd_sys_script_rw_t data underlay
+It is necessary to turn on the httpd_enable_cgi boolean to run either regular
+or FastCGI scripts:
+ setsebool -P httpd_enable_cgi 1
+The httpd_can_sendmail boolean is used to specify whether any of your
+web applications can make outbound SMTP connections (e.g. moin sending
+notifications). By default it is off, but can be enabled as follows:
+ setsebool -P httpd_can_sendmail 1
+Only enable this functionality if you actually need it, since it increases the
+chances that any vulnerability in any of your web applications could be
+exploited by a spammer.
+If you have any questions or issues regarding FastCGI and SELinux, please don't
+hesitate to bring them up on fedora-selinux-list.