Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

    PaulHowarth/Blog/2006-05-26

Friday 26th May 2006

Local packages

  • Fixed yesterday's perl-Net-IP package, which had broken dependencies due to an error implementing a cosmetic change (sigh)

  • More PHP cleanups and SELinux work for contagged; it now only works from localhost by default too, as a security measure

Wiki

Made a new SELinux policy for the wiki running under mod_fcgid. It runs in a new domain, httpd_fastcgi_script_t, which is allowed to use unix-domain sockets, unlike httpd_sys_script_t:

apache.te: 

policy_module(apache, 0.2.1)

require {
        type devpts_t;
        type httpd_t;
        type httpd_log_t;
        type httpd_sys_script_exec_t;
        type restorecon_t;
        type var_t;
        type var_run_t;
        type webalizer_t;
};

# Allow httpd to read /var/www -> /srv/www symlink
allow httpd_t var_t:lnk_file { getattr read };

# Allow restorecon to restore file contexts via the /var/www -> /srv/www symlink
allow restorecon_t var_t:lnk_file read;

# Allow webalizer to read the routing table
allow webalizer_t self:netlink_route_socket { r_netlink_socket_perms };

# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================

apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)

# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;

# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;

# mod_fcgid setting attr of its socket dir
allow httpd_t var_run_t:dir setattr;

apache.fc: 

/srv/www/tips/cgi-bin/moin.fcgi --      gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
/var/www/tips/cgi-bin/moin.fcgi --      gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)

Recent