Using mod_fcgid in Fedora
=========================

This mod_fcgid package includes a configuration file
/etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and
added as the handler for .fcg, .fcgi, and .fpl applications (provided
mod_fastcgi in not already loaded, in which case you will need to decide which
module should handle which types of application).

So far the module package has only been tested in conjunction with the "moin"
wiki application. Further feedback regarding other applications is welcome.

Setting up moin with mod_fcgid
==============================

Setting up moin with mod_fcgid is very similar to setting it up as a regular
CGI application.

 * Create a directory for your wiki instance:

    DESTDIR=/var/www/mywiki
    mkdir -p $DESTDIR/cgi-bin

 * Copy in the wiki template data and the application itself:

    cp -a /usr/share/moin/{data,underlay} $DESTDIR
    cp -a /usr/share/moin/server/moin.fcg $DESTDIR/cgi-bin
    cp -a /usr/share/moin/config/wikiconfig.py $DESTDIR/cgi-bin

 * Fix the directory ownership

    chown -R apache:apache $DESTDIR/{data,underlay}

 * Edit $DESTDIR/cgi-bin/wikiconfig.py to suit your needs

 * Create a httpd configuration file for the wiki, e.g.
   /etc/httpd/conf.d/mywiki.conf

    # Wiki application data common to all wiki instances
    Alias /wiki/ "/usr/share/moin/htdocs/"
    <Directory "/usr/share/moin/htdocs/">
      Options Indexes FollowSymLinks
      AllowOverride None
      Order allow,deny
      Allow from all
    </Directory>

    # Wiki instance with mod_fcgid
    <IfModule mod_fcgid.c>
      ScriptAlias /mywiki "/var/www/mywiki/cgi-bin/moin.fcg"
      <Directory "/var/www/mywiki/cgi-bin/">
        Options Indexes FollowSymLinks ExecCGI
        AllowOverride None
        Order allow,deny
        Allow from all
      </Directory>
    </IfModule>

 * If you are using SELinux with Fedora Core 5 or later, install the
   mod_fcgid-selinux package and see the README.SELinux file in that package
   for details of the file contexts to use

 * Restart the web server to load the new configuration:

   service httpd restart

That should do it!

mod_fcgid with SELinux
======================

Versions of this package built for Fedora Core 5 or later include an SELinux
policy module to support FastCGI applications. Again, this has only been tested
with moin, so feedback from other applications is welcome. The intention is for
this module to be included in the SELinux reference policy eventually.

The module source (fastcgi.{fc,te}) is included for reference as documentation
in the package.

The module introduces a new set of SELinux types for FastCGI applications,
comparable with the types described in "man httpd_selinux" for regular CGI
scripts (or "system scripts" as they are known in SELinux):

 * httpd_fastcgi_content_t (equivalent to httpd_sys_content_t)
 - Set files with httpd_fastcgi_content_t for content that is available
   from all FastCGI scripts and the daemon.

 * httpd_fastcgi_script_exec_t (equivalent to httpd_sys_script_exec_t)
 - Set FastCGI scripts with httpd_fastcgi_script_exec_t to allow them to run
   with access to all fastcgi types.

 * httpd_fastcgi_script_ro_t (equivalent to httpd_sys_script_ro_t)
 - Set files with httpd_fastcgi_script_ro_t if you want
   httpd_fastcgi_script_exec_t scripts to read the data, and disallow other
   non-fastcgi scripts from access.

 * httpd_fastcgi_script_rw_t (equivalent to httpd_sys_script_rw_t)
 - Set files with httpd_fastcgi_script_rw_t if you want
   httpd_fastcgi_script_exec_t scripts to read/write the data, and disallow
   other non-fastcgi scripts from access.

 * httpd_fastcgi_script_ra_t (equivalent to httpd_sys_script_ra_t)
 - Set files with httpd_fastcgi_script_ra_t if you want
   httpd_fastcgi_script_exec_t scripts to read/append to the file, and
   disallow other non-fastcgi scripts from access.

So for the moin wiki layout described above, the contexts would be set as
follows:

    cd /var/www/mywiki
    chcon -t httpd_fastcgi_content_t .
    chcon -R -t httpd_fastcgi_script_exec_t cgi-bin
    chcon -R -t httpd_fastcgi_script_rw_t data underlay

It is necessary to turn on the httpd_enable_cgi boolean to run either regular
or FastCGI scripts:

    setsebool -P httpd_enable_cgi 1

If the httpd_unified boolean is set, "sys" and "fastcgi" scripts can access
each other's data. This means that you only need to set the actual FastCGI
scripts themselves to httpd_fastcgi_script_exec_t and can leave the file
contexts for everything else set to the "sys" types if you prefer. This is
useful if you have a mixture of CGI and FastCGI applications accessing the
same data.

If you have any questions or issues regarding FastCGI and SELinux, please don't
hesitate to bring them up on fedora-selinux-list.