diff --git a/fastcgi-2.5.te b/fastcgi-2.5.te index 6ccd091..9778b8f 100644 --- a/fastcgi-2.5.te +++ b/fastcgi-2.5.te @@ -1,7 +1,7 @@ -policy_module(fastcgi, 0.2.1) +policy_module(fastcgi, 0.2.2) -type httpd_fastcgi_sock_t; -files_type(httpd_fastcgi_sock_t) +type httpd_fastcgi_var_run_t; +files_type(httpd_fastcgi_var_run_t) require { type devpts_t; @@ -53,9 +53,10 @@ allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms }; # Allow FastCGI applications to read the routing table allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms }; -# Allow httpd to create and use sockets for communicating with mod_fcgid -manage_sock_files_pattern(httpd_t,httpd_fastcgi_sock_t,httpd_fastcgi_sock_t) -allow httpd_t httpd_fastcgi_sock_t:dir { setattr }; +# Allow httpd to create and use files and sockets for communicating with mod_fcgid +manage_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t) +manage_sock_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t) +setattr_dirs_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t) # Allow httpd to read httpd_fastcgi_content_t allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms; @@ -66,11 +67,9 @@ read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t) # sockets and respond to them allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; -# FastCGI application doing something to the httpd error log -dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl; - -# Not sure what this is doing (happens when fastcgi scripts start) +# These are probably leaked file descriptors dontaudit httpd_t devpts_t:chr_file ioctl; +dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl; # ====================================================== # Equivalent policy cribbed from httpd_sys_script_t diff --git a/fastcgi.fc b/fastcgi.fc index 66e0015..bb97dfb 100644 --- a/fastcgi.fc +++ b/fastcgi.fc @@ -1 +1 @@ -/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_fastcgi_sock_t,s0) +/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_fastcgi_var_run_t,s0) diff --git a/fastcgi.te b/fastcgi.te index 21ec18b..9d5fb37 100644 --- a/fastcgi.te +++ b/fastcgi.te @@ -1,7 +1,7 @@ -policy_module(fastcgi, 0.1.8) +policy_module(fastcgi, 0.1.9) -type httpd_fastcgi_sock_t; -files_type(httpd_fastcgi_sock_t) +type httpd_fastcgi_var_run_t; +files_type(httpd_fastcgi_var_run_t) require { type devpts_t; @@ -42,9 +42,10 @@ allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms }; # Allow FastCGI applications to read the routing table allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms }; -# Allow httpd to create and use sockets for communicating with mod_fcgid -allow httpd_t httpd_fastcgi_sock_t:dir { rw_dir_perms setattr }; -allow httpd_t httpd_fastcgi_sock_t:sock_file { create_file_perms }; +# Allow httpd to create and use files and sockets for communicating with mod_fcgid +allow httpd_t httpd_fastcgi_var_run_t:dir { rw_dir_perms setattr }; +allow httpd_t httpd_fastcgi_var_run_t:file { create_file_perms }; +allow httpd_t httpd_fastcgi_var_run_t:sock_file { create_file_perms }; # Allow httpd to read httpd_fastcgi_content_t # (shouldn't this be in the content template?) @@ -56,11 +57,9 @@ allow httpd_t httpd_fastcgi_content_t:lnk_file { getattr read }; # sockets and respond to them allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; -# FastCGI application doing something to the httpd error log -dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl; - -# Not sure what this is doing (happens when fastcgi scripts start) +# These are probably leaked file descriptors dontaudit httpd_t devpts_t:chr_file ioctl; +dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl; # ====================================================== # Equivalent policy cribbed from httpd_sys_script_t diff --git a/fcgid.conf b/fcgid.conf index 0981b9c..e9d886e 100644 --- a/fcgid.conf +++ b/fcgid.conf @@ -13,4 +13,4 @@ LoadModule fcgid_module modules/mod_fcgid.so # Sane place to put sockets and shared memory file SocketPath run/mod_fcgid -SharememPath run/fcgid_shm +SharememPath run/mod_fcgid/fcgid_shm diff --git a/mod_fcgid.spec b/mod_fcgid.spec index 2cdddc4..02c7560 100644 --- a/mod_fcgid.spec +++ b/mod_fcgid.spec @@ -11,7 +11,7 @@ Name: mod_fcgid Version: 2.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Apache2 module for high-performance server-side scripting Group: System Environment/Daemons License: GPL+ @@ -125,7 +125,7 @@ do %{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || : done # Fix up non-standard directory context -/sbin/restorecon %{_localstatedir}/run/mod_fcgid || : +/sbin/restorecon -R %{_localstatedir}/run/mod_fcgid || : %postun selinux # Clean up after package removal @@ -157,6 +157,10 @@ exit 0 %endif %changelog +* Mon Jan 14 2008 Paul Howarth 2.2-3 +- Update SELinux policy to fix occasional failures on restarts + (move shared memory file into /var/run/mod_fcgid directory) + * Thu Jan 3 2008 Paul Howarth 2.2-2 - Update SELinux policy to support file transition to httpd_tmp_t for temporary files