Friday 26th May 2006
Local packages
Fixed yesterday's perl-Net-IP package, which had broken dependencies due to an error implementing a cosmetic change (sigh)
More PHP cleanups and SELinux work for contagged; it now only works from localhost by default too, as a security measure
Wiki
Made a new SELinux policy for the wiki running under mod_fcgid. It runs in a new domain, httpd_fastcgi_script_t, which is allowed to use unix-domain sockets, unlike httpd_sys_script_t:
apache.te:
policy_module(apache, 0.2.1)
require {
type devpts_t;
type httpd_t;
type httpd_log_t;
type httpd_sys_script_exec_t;
type restorecon_t;
type var_t;
type var_run_t;
type webalizer_t;
};
# Allow httpd to read /var/www -> /srv/www symlink
allow httpd_t var_t:lnk_file { getattr read };
# Allow restorecon to restore file contexts via the /var/www -> /srv/www symlink
allow restorecon_t var_t:lnk_file read;
# Allow webalizer to read the routing table
allow webalizer_t self:netlink_route_socket { r_netlink_socket_perms };
# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================
apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };
# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;
# mod_fcgid setting attr of its socket dir
allow httpd_t var_run_t:dir setattr;apache.fc:
/srv/www/tips/cgi-bin/moin.fcgi -- gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0) /var/www/tips/cgi-bin/moin.fcgi -- gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)