#acl PaulHowarth:read,write,admin,revert,delete All:read

=== Friday 26th May 2006 ===

==== Local packages ====

 * Fixed yesterday's `perl-Net-IP` package, which had broken dependencies due to an error implementing a cosmetic change (sigh)
 * More PHP cleanups and SELinux work for `contagged`; it now only works from localhost by default too, as a security measure

==== Wiki ====

Made a new SELinux policy for the wiki running under `mod_fcgid`. It runs in a new domain, `httpd_fastcgi_script_t`, which is allowed to use unix-domain sockets, unlike `httpd_sys_script_t`:

apache.te:
{{{
policy_module(apache, 0.2.1)

require {
        type devpts_t;
        type httpd_t;
        type httpd_log_t;
        type httpd_sys_script_exec_t;
        type restorecon_t;
        type var_t;
        type var_run_t;
        type webalizer_t;
};

# Allow httpd to read /var/www -> /srv/www symlink
allow httpd_t var_t:lnk_file { getattr read };

# Allow restorecon to restore file contexts via the /var/www -> /srv/www symlink
allow restorecon_t var_t:lnk_file read;

# Allow webalizer to read the routing table
allow webalizer_t self:netlink_route_socket { r_netlink_socket_perms };

# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================

apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)

# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;

# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;

# mod_fcgid setting attr of its socket dir
allow httpd_t var_run_t:dir setattr;}}}

apache.fc:
{{{
/srv/www/tips/cgi-bin/moin.fcgi --      gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
/var/www/tips/cgi-bin/moin.fcgi --      gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)}}}




----