diff options
Diffstat (limited to 'mod_fcgid-2.1-README.SELinux')
| -rw-r--r-- | mod_fcgid-2.1-README.SELinux | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux new file mode 100644 index 0000000..981cf59 --- /dev/null +++ b/mod_fcgid-2.1-README.SELinux @@ -0,0 +1,63 @@ +Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards +============================================================== + +Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux +policy module to support FastCGI applications. Later Fedora releases and Red +Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy +package and do not require the separate module. + +The module source (fastcgi.{fc,te}) is included for reference as documentation +in the package. + +The module uses the same set of SELinux types for FastCGI applications as for +regular CGI scripts (or "system scripts" as they are known in SELinux), as +described in "man httpd_selinux". + + * httpd_sys_content_t + - Set files with httpd_sys_content_t for content that is available + from all FastCGI scripts and the daemon. + + * httpd_sys_script_exec_t + - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run + with access to all system script types. + + * httpd_sys_script_ro_t + - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t + scripts to read but not write the data, and disallow other processes from + access. + + * httpd_sys_script_rw_t + - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t + scripts to read/write the data, and disallow other processes from access. + + * httpd_sys_script_ra_t + - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t + scripts to read/append to the file, and disallow other processes from + access. + +So for the moin wiki layout described in README.RPM of the main mod_fcgid +package, the contexts would be set as follows: + + cd /var/www/mywiki + chcon -t httpd_sys_content_t . + chcon -R -t httpd_sys_script_exec_t cgi-bin + chcon -R -t httpd_sys_script_rw_t data underlay + +It is necessary to turn on the httpd_enable_cgi boolean to run either regular +or FastCGI scripts: + + setsebool -P httpd_enable_cgi 1 + +The httpd_can_sendmail boolean is used to specify whether any of your +web applications can make outbound SMTP connections (e.g. moin sending +notifications). By default it is off, but can be enabled as follows: + + setsebool -P httpd_can_sendmail 1 + +Only enable this functionality if you actually need it, since it increases the +chances that any vulnerability in any of your web applications could be +exploited by a spammer. + +If you have any questions or issues regarding FastCGI and SELinux, please don't +hesitate to bring them up on fedora-selinux-list. + |