| Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards |
| ============================================================== |
| |
| The module uses the same set of SELinux types for FastCGI applications as for |
| regular CGI scripts (or "system scripts" as they are known in SELinux), as |
| described in "man httpd_selinux". |
| |
| * httpd_sys_content_t |
| - Set files with httpd_sys_content_t for content that is available to read |
| from all FastCGI scripts and the daemon. |
| |
| * httpd_sys_rw_content_t |
| - Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t |
| scripts to read/write the data, and disallow other processes from access. |
| |
| * httpd_sys_script_exec_t |
| - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run |
| with access to all system script types. |
| |
| So for the moin wiki layout described in README.RPM of the main mod_fcgid |
| package, the contexts would be set as follows: |
| |
| cd /var/www/mywiki |
| chcon -t httpd_sys_content_t . |
| chcon -R -t httpd_sys_script_exec_t cgi-bin |
| chcon -R -t httpd_sys_rw_content_t data underlay |
| |
| It is necessary to turn on the httpd_enable_cgi boolean to run either regular |
| or FastCGI scripts: |
| |
| setsebool -P httpd_enable_cgi 1 |
| |
| The httpd_can_sendmail boolean is used to specify whether any of your |
| web applications can make outbound SMTP connections (e.g. moin sending |
| notifications). By default it is off, but can be enabled as follows: |
| |
| setsebool -P httpd_can_sendmail 1 |
| |
| Only enable this functionality if you actually need it, since it increases the |
| chances that any vulnerability in any of your web applications could be |
| exploited by a spammer. |
| |
| If you have any questions or issues regarding FastCGI and SELinux, please don't |
| hesitate to bring them up on Fedora's selinux-list. |
| |