Blob Blame History Raw
Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
==============================================================

Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
policy module to support FastCGI applications. Later Fedora releases and Red
Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
package and do not require the separate module.

The module source (fastcgi.{fc,te}) is included for reference as documentation
in the package.

The module uses the same set of SELinux types for FastCGI applications as for
regular CGI scripts (or "system scripts" as they are known in SELinux), as
described in "man httpd_selinux".

 * httpd_sys_content_t
 - Set files with httpd_sys_content_t for content that is available
   from all FastCGI scripts and the daemon.

 * httpd_sys_script_exec_t
 - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run
   with access to all system script types.

 * httpd_sys_script_ro_t
 - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
   scripts to read but not write the data, and disallow other processes from
   access.

 * httpd_sys_script_rw_t
 - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
   scripts to read/write the data, and disallow other processes from access.

 * httpd_sys_script_ra_t
 - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
   scripts to read/append to the file, and disallow other processes from
   access.

So for the moin wiki layout described in README.RPM of the main mod_fcgid
package, the contexts would be set as follows:

    cd /var/www/mywiki
    chcon -t httpd_sys_content_t .
    chcon -R -t httpd_sys_script_exec_t cgi-bin
    chcon -R -t httpd_sys_script_rw_t data underlay

It is necessary to turn on the httpd_enable_cgi boolean to run either regular
or FastCGI scripts:

    setsebool -P httpd_enable_cgi 1

The httpd_can_sendmail boolean is used to specify whether any of your
web applications can make outbound SMTP connections (e.g. moin sending
notifications). By default it is off, but can be enabled as follows:

    setsebool -P httpd_can_sendmail 1

Only enable this functionality if you actually need it, since it increases the
chances that any vulnerability in any of your web applications could be
exploited by a spammer.

If you have any questions or issues regarding FastCGI and SELinux, please don't
hesitate to bring them up on fedora-selinux-list.