summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile4
-rw-r--r--mod_selinux.conf92
-rw-r--r--mod_selinux.spec170
3 files changed, 266 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..1e65467
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,4 @@
+SRCDIR := $(shell pwd)
+NAME := $(shell basename $(SRCDIR))
+include ../common/Makefile
+
diff --git a/mod_selinux.conf b/mod_selinux.conf
new file mode 100644
index 0000000..a1402a5
--- /dev/null
+++ b/mod_selinux.conf
@@ -0,0 +1,92 @@
+#
+# mod_selinux.conf
+# ----------------
+# Apache/SELinux plus configuration
+
+LoadModule selinux_module modules/mod_selinux.so
+
+selinuxServerDomain *:s0
+
+#
+# Example for the mapfile based configuration
+# -------------------------------------------
+#
+# <Directory "/var/www/html">
+# #
+# # HTTP Basic Authentication
+# #
+# AuthType Basic
+# AuthName "Secret Zone"
+# AuthUserFile /var/www/htpasswd
+# Require valid-user
+#
+# #
+# # SELinux domain/range mapping
+# #
+# SetEnvIf Remote_Addr "192.168.1.[0-9]+$" SELINUX_DOMAIN=*:s0:c1
+# SetEnvIf Remote_Addr "192.168.2.[0-9]+$" SELINUX_DOMAIN=*:s0:c2
+# selinuxDomainMap /var/www/mod_selinux.map
+# selinuxDomainEnv SELINUX_DOMAIN
+# selinuxDomainVal anon_webapp_t:SystemLow
+#
+# </Directory>
+
+#
+# Use Case: Virtual Host based separation
+# ---------------------------------------
+#
+# NameVirtualHost *:80
+#
+# <VirtualHost *:80>
+# DocumentRoot /var/www/html
+# ServerName dog.example.com
+# selinuxDomainVal *:s0:c1
+# </VirtualHost>
+#
+# <VirtualHost *:80>
+# DocumentRoot /var/www/html
+# ServerName cat.example.com
+# selinuxDomainVal *:s0:c2
+# </VirtualHost>
+
+#
+# Use Case: Authentication integration with RDBMS
+# -----------------------------------------------
+#
+# LoadModule dbd_module modules/mod_dbd.so
+# LoadModule authn_dbd_module modules/mod_authn_dbd.so
+#
+# DBDriver pgsql
+# DBDParams "dbname=web user=apache"
+# # NOTE: Don't forget to install apr-util-pgsql package
+# # to connect PostgreSQL via mod_dbd.
+#
+# <Directory "/var/www/html">
+# # Digest authentication
+# # ---------------------
+# # AuthType Digest
+# # AuthName "Secret Zone"
+# # AuthDigestProvider dbd ... (4)
+# # AuthDBDUserRealmQuery \ ... (5)
+# # "SELECT md5(uname || ':' || $2 || ':' || upass), udomain, \
+# # %s=%s as dummy FROM uaccount WHERE uname = $1"
+#
+# # SELinux context mapping
+# # -----------------------
+# selinuxDomainEnv AUTHENTICATE_UDOMAIN ... (6)
+# selinuxDomainVal anon_webapp_t:SystemLow
+# </Directory>
+#
+# We assume the PostgreSQL works on local machine, and it allows
+# the apache user to connect the web database without passwords.
+# In addition, uaccount table should be defined as follows:
+#
+# CREATE TABLE uaccount (
+# uname TEXT PRIMARY KEY,
+# upass TEXT NOT NULL,
+# udomain TEXT
+# );
+# INSERT INTO uaccount VALUES ('foo', 'xxx', 'user_webapp_t:s0:c0');
+# INSERT INTO uaccount VALUES ('var', 'yyy', 'staff_webapp_t:s0:c1');
+# INSERT INTO uaccount VALUES ('baz', 'zzz', 'anon_webapp_t:s0:c2');
+#
diff --git a/mod_selinux.spec b/mod_selinux.spec
new file mode 100644
index 0000000..4505e37
--- /dev/null
+++ b/mod_selinux.spec
@@ -0,0 +1,170 @@
+%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}}
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)}}
+# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
+%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
+%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
+%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
+
+%define selinux_policy_types targeted mls
+
+Name: mod_selinux
+Version: 2.2.2454
+Release: 5%{?dist}
+Summary: Apache/SELinux plus module
+Group: System Environment/Daemons
+License: ASL 2.0
+URL: http://code.google.com/p/sepgsql/
+Source0: http://sepgsql.googlecode.com/files/%{name}-%{version}.tgz
+Source1: %{name}.conf
+BuildRequires: httpd-devel >= 2.2.0 libselinux-devel checkpolicy >= 2.0.19 policycoreutils selinux-policy-devel
+Requires: kernel >= 2.6.28 httpd >= 2.2.0 policycoreutils selinux-policy
+Requires: httpd-mmn = %{_httpd_mmn}
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+
+%description
+The Apache/SELinux plus is an extra module (mod_selinux.so) which enables
+to launch contents-handler (it means both of references to static contents
+and invocations of web applications) with individual and restrictive
+privileges set, based on http authentication.
+The mod_selinux.so generates a one-time worker thread for each request,
+and it assigns the worker restrictive domain based on the authentication
+prior to launching contents handlers.
+It means we can apply valid access controls on web-applications, and
+makes assurance operating system can prevent violated accesses, even if
+web application contains security bugs or vulnerabilities.
+
+%prep
+%setup -q
+
+%build
+# mod_selinux.so
+%{__make} %{?_smp_mflags} APXS=%{_httpd_apxs}
+
+# mod_selinux.pp
+for policy in %{selinux_policy_types}
+do
+ %{__make} NAME=${policy} -f %{?policy_devel_root}%{_datadir}/selinux/devel/Makefile
+ mv %{name}.pp %{name}.pp.${policy}
+done
+
+%install
+rm -rf %{buildroot}
+%{__install} -d %{buildroot}%{_libdir}/httpd/modules
+%{__install} -d %{buildroot}%{_datadir}/selinux
+
+%{__make} install DESTDIR=%{buildroot}
+
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+# httpd 2.4.x config
+sed -n /^LoadModule/p %{SOURCE1} > 10-mod_selinux.conf
+sed /^LoadModule/d %{SOURCE1} > mod_selinux.conf
+touch -r %{SOURCE1} *.conf
+install -Dp 10-mod_selinux.conf %{buildroot}%{_httpd_modconfdir}/10-mod_selinux.conf
+install -Dp mod_selinux.conf %{buildroot}%{_httpd_confdir}/mod_selinux.conf
+%else
+# httpd 2.2.x
+install -Dp -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_selinux.conf
+%endif
+
+for policy in %{selinux_policy_types}
+do
+ %{__install} -d %{buildroot}%{_datadir}/selinux/${policy}
+ %{__install} -p -m 644 %{name}.pp.${policy} \
+ %{buildroot}%{_datadir}/selinux/${policy}/%{name}.pp
+done
+
+%clean
+rm -rf %{buildroot}
+
+%post
+/sbin/fixfiles -R %{name} restore || :
+
+for policy in %{selinux_policy_types}
+do
+ %{_sbindir}/semodule -s ${policy} \
+ -i %{_datadir}/selinux/${policy}/%{name}.pp 2>/dev/null || :
+done
+
+%postun
+# unload policy, if rpm -e
+if [ $1 -eq 0 ]; then
+ for policy in %{selinux_policy_types}
+ do
+ %{_sbindir}/semodule -s ${policy} -r %{name} 2>/dev/null || :
+ done
+fi
+
+%files
+%defattr(-,root,root,-)
+%doc LICENSE README
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+%config(noreplace) %{_httpd_modconfdir}/*.conf
+%endif
+%config(noreplace) %{_httpd_confdir}/*.conf
+%{_libdir}/httpd/modules/%{name}.so
+%{_datadir}/selinux/*/%{name}.pp
+
+%changelog
+* Tue May 1 2012 Joe Orton <jorton@redhat.com> - 2.2.2454-5
+- packaging fixes (#803075)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.2454-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.2454-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Fri Dec 4 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.2454-2
+- rebuild for the base policy of F-13
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.2015-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Jun 11 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.2015-1
+- update: add support to use translated format in MLS-range
+
+* Wed May 27 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1938-1
+- bugfix: it may returns OK, instead of HTTP_INTERNAL_SERVER_ERROR,
+ when the contents handler crashed.
+
+* Fri May 22 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1930-1
+- rework: libselinux was dropped from explicit dependencies due to
+ http://fedoraproject.org/wiki/Packaging/Guidelines#Explicit_Requires
+
+* Tue May 19 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1904-1
+- bugfix: update Makefile to allow to build for 64bit architecture
+
+* Mon May 18 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1903-1
+- rework: add selinux_merge_conf()
+- rework: remove mod_authn_sepgsql, instead of documentation
+ to use mod_authn_dbd with pgsql driver.
+
+* Fri May 15 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1898-1
+- rework: mod_authn_sepgsql cleanups
+- update: README updates.
+
+* Wed May 13 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1884-1
+- rework: add mod_authn_sepgsql module
+- rework: directives were reorganized
+- rework: simultaneous usage with keep-alive
+
+* Fri Apr 17 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1817-1
+- bugfix: add kernel >= 2.6.28 because of typebounds feature
+
+* Thu Apr 16 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1803-1
+- rework: reverted to multi-threading design
+- bugfix: security policy didn't allow prosess:{setcurrent}
+
+* Wed Apr 15 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1800-1
+- rework: worker was redesigned to use a process, instead of thread,
+ on process_connection hook.
+- rework: "selinuxAllowCaches" and "selinuxAllowKeepAlive" were added.
+- rework: README was revised
+
+* Tue Apr 14 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1795-1
+- bugfix: install script didn't work correctly.
+- update: add some of inline source comments.
+- update: specfile improvement.
+
+* Sun Apr 12 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1792-1
+- Initial build