From fdb13c5cb9a0da0068b25772cd5b7c8c7345f044 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 07 2019 11:55:03 +0000 Subject: import mod_fcgid-2.3.9-16.el8 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8fab515 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/mod_fcgid-2.1-README.RPM +SOURCES/mod_fcgid-2.3.9.tar.bz2 diff --git a/.mod_fcgid.metadata b/.mod_fcgid.metadata new file mode 100644 index 0000000..bef2275 --- /dev/null +++ b/.mod_fcgid.metadata @@ -0,0 +1,2 @@ +5a512f8879313c94e3ee86d664683277506d74a9 SOURCES/mod_fcgid-2.1-README.RPM +f0b6d87dfcfe18b318905a3f91274051f3f17945 SOURCES/mod_fcgid-2.3.9.tar.bz2 diff --git a/SOURCES/fastcgi-2.5.te b/SOURCES/fastcgi-2.5.te new file mode 100644 index 0000000..c691308 --- /dev/null +++ b/SOURCES/fastcgi-2.5.te @@ -0,0 +1,63 @@ +# This policy module provides support for mod_fcgid using the httpd system script domain. +# It provides "allow" rules that will overlap to varying degrees with selinux-policy +# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included +# as updates for selinux-policy in Fedora 8, 9, and 10. +# +# Rules existing in selinux-policy 2.6.4 (F7) have been stripped from this policy +# +# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, +# which is now an alias for httpd_sys_script_t. + +policy_module(fastcgi, 0.2.6) + +require { + type devpts_t; + type httpd_t; + type httpd_log_t; + type httpd_sys_content_t; + type httpd_sys_content_ra_t; + type httpd_sys_content_ro_t; + type httpd_sys_content_rw_t; + type httpd_sys_script_exec_t; + type httpd_sys_script_ra_t; + type httpd_sys_script_ro_t; + type httpd_sys_script_rw_t; + type httpd_sys_script_t; + type httpd_tmp_t; + type httpd_var_run_t; +}; + +# Type aliases for contexts used with older policy modules +typealias httpd_sys_content_t alias httpd_fastcgi_content_t; +typealias httpd_sys_content_ra_t alias httpd_fastcgi_content_ra_t; +typealias httpd_sys_content_ro_t alias httpd_fastcgi_content_ro_t; +typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; +typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + +# ========================================================== +# Re-use httpd_sys_script_t for mod_fcgid apps +# ========================================================== + +# Allow web applications to call getpw* functions +auth_use_nsswitch(httpd_sys_script_t) + +# Allow httpd to create and use files and sockets for communicating with mod_fcgid +# Rules to do this are already in selinux-policy apart from dir setattr +setattr_dirs_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t) + +# Allow FastCGI applications to listen for FastCGI requests on their +# sockets and respond to them +allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; + +# These are probably leaked file descriptors +dontaudit httpd_t devpts_t:chr_file ioctl; +dontaudit httpd_sys_script_t httpd_log_t:file ioctl; + +# PHP uploads a file to /tmp and then execs programs to action them +# Rules to do this are already in selinux-policy 2.6.4 (F7) apart from filetrans +files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) diff --git a/SOURCES/fastcgi.fc b/SOURCES/fastcgi.fc new file mode 100644 index 0000000..2006d97 --- /dev/null +++ b/SOURCES/fastcgi.fc @@ -0,0 +1 @@ +/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/SOURCES/fastcgi.te b/SOURCES/fastcgi.te new file mode 100644 index 0000000..373d920 --- /dev/null +++ b/SOURCES/fastcgi.te @@ -0,0 +1,71 @@ +# This policy module provides support for mod_fcgid using the httpd system script domain. +# It provides "allow" rules that will overlap to varying degrees with selinux-policy +# packages for Fedora 5 onwards, and is a stepping stone to the merged policy included +# as updates for selinux-policy in Fedora 8, 9, and 10. +# +# Rules existing in selinux-policy 2.3.7 (FC5) have been stripped from this policy +# +# Previous versions of this policy module used a separate domain, httpd_fastcgi_script_t, +# which is now an alias for httpd_sys_script_t. + +policy_module(fastcgi, 0.1.11) + +require { + type devpts_t; + type httpd_t; + type httpd_log_t; + type httpd_sys_content_t; + type httpd_sys_script_exec_t; + type httpd_sys_script_ra_t; + type httpd_sys_script_ro_t; + type httpd_sys_script_rw_t; + type httpd_sys_script_t; + type httpd_tmp_t; + type httpd_var_run_t; +}; + +# Type aliases for contexts used with older policy modules +typealias httpd_sys_content_t alias httpd_fastcgi_content_t; +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; +typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + +# ========================================================== +# Re-use httpd_sys_script_t for mod_fcgid apps +# ========================================================== + +# Allow web applications to call getpw* functions +auth_use_nsswitch(httpd_sys_script_t) + +# Allow httpd to create and use files and sockets for communicating with mod_fcgid +# Rules to do this are already in selinux-policy apart from dir setattr +allow httpd_t httpd_var_run_t:dir setattr; + +# Allow FastCGI applications to listen for FastCGI requests on their +# sockets and respond to them +allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; + +# These are probably leaked file descriptors +dontaudit httpd_t devpts_t:chr_file ioctl; +dontaudit httpd_sys_script_t httpd_log_t:file ioctl; + +# Search automount filesystem to use automatically mounted filesystems +fs_search_auto_mountpoints(httpd_sys_script_t) + +# PHP uploads a file to /tmp and then execs programs to action them +allow httpd_sys_script_t httpd_tmp_t:dir manage_dir_perms; +allow httpd_sys_script_t httpd_tmp_t:file manage_file_perms; +files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) + +# Support network home directories +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) +') +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) +') diff --git a/SOURCES/fcgid.conf b/SOURCES/fcgid.conf new file mode 100644 index 0000000..90f208e --- /dev/null +++ b/SOURCES/fcgid.conf @@ -0,0 +1,14 @@ +# This is the Apache server configuration file for providing FastCGI support +# through mod_fcgid +# +# Documentation is available at +# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html + +LoadModule fcgid_module modules/mod_fcgid.so + +# Use FastCGI to process .fcg .fcgi & .fpl scripts +AddHandler fcgid-script fcg fcgi fpl + +# Sane place to put sockets and shared memory file +FcgidIPCDir /var/run/mod_fcgid +FcgidProcessTableFile /var/run/mod_fcgid/fcgid_shm diff --git a/SOURCES/fcgid24.conf b/SOURCES/fcgid24.conf new file mode 100644 index 0000000..2e7d486 --- /dev/null +++ b/SOURCES/fcgid24.conf @@ -0,0 +1,12 @@ +# This is the Apache server configuration file for providing FastCGI support +# through mod_fcgid +# +# Documentation is available at +# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html + +# Use FastCGI to process .fcg .fcgi & .fpl scripts +AddHandler fcgid-script fcg fcgi fpl + +# Sane place to put sockets and shared memory file +FcgidIPCDir /run/mod_fcgid +FcgidProcessTableFile /run/mod_fcgid/fcgid_shm diff --git a/SOURCES/mod_fcgid-2.1-README.SELinux b/SOURCES/mod_fcgid-2.1-README.SELinux new file mode 100644 index 0000000..981cf59 --- /dev/null +++ b/SOURCES/mod_fcgid-2.1-README.SELinux @@ -0,0 +1,63 @@ +Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards +============================================================== + +Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux +policy module to support FastCGI applications. Later Fedora releases and Red +Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy +package and do not require the separate module. + +The module source (fastcgi.{fc,te}) is included for reference as documentation +in the package. + +The module uses the same set of SELinux types for FastCGI applications as for +regular CGI scripts (or "system scripts" as they are known in SELinux), as +described in "man httpd_selinux". + + * httpd_sys_content_t + - Set files with httpd_sys_content_t for content that is available + from all FastCGI scripts and the daemon. + + * httpd_sys_script_exec_t + - Set FastCGI scripts with httpd_sys_script_exec_t to allow them to run + with access to all system script types. + + * httpd_sys_script_ro_t + - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t + scripts to read but not write the data, and disallow other processes from + access. + + * httpd_sys_script_rw_t + - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t + scripts to read/write the data, and disallow other processes from access. + + * httpd_sys_script_ra_t + - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t + scripts to read/append to the file, and disallow other processes from + access. + +So for the moin wiki layout described in README.RPM of the main mod_fcgid +package, the contexts would be set as follows: + + cd /var/www/mywiki + chcon -t httpd_sys_content_t . + chcon -R -t httpd_sys_script_exec_t cgi-bin + chcon -R -t httpd_sys_script_rw_t data underlay + +It is necessary to turn on the httpd_enable_cgi boolean to run either regular +or FastCGI scripts: + + setsebool -P httpd_enable_cgi 1 + +The httpd_can_sendmail boolean is used to specify whether any of your +web applications can make outbound SMTP connections (e.g. moin sending +notifications). By default it is off, but can be enabled as follows: + + setsebool -P httpd_can_sendmail 1 + +Only enable this functionality if you actually need it, since it increases the +chances that any vulnerability in any of your web applications could be +exploited by a spammer. + +If you have any questions or issues regarding FastCGI and SELinux, please don't +hesitate to bring them up on fedora-selinux-list. + diff --git a/SOURCES/mod_fcgid-2.3.4-fixconf-shellbang.patch b/SOURCES/mod_fcgid-2.3.4-fixconf-shellbang.patch new file mode 100644 index 0000000..ea5fb50 --- /dev/null +++ b/SOURCES/mod_fcgid-2.3.4-fixconf-shellbang.patch @@ -0,0 +1,8 @@ +--- mod_fcgid-2.3.4/build/fixconf.sed 2009-10-07 04:16:08.000000000 +0100 ++++ mod_fcgid-2.3.4/build/fixconf.sed 2009-10-12 09:50:14.570448865 +0100 +@@ -1,4 +1,4 @@ +-#!/usr/bin/sed -f ++#!/bin/sed -f + # + # Licensed to the Apache Software Foundation (ASF) under one or more + # contributor license agreements. See the NOTICE file distributed with diff --git a/SOURCES/mod_fcgid-2.3.9-r1847623.patch b/SOURCES/mod_fcgid-2.3.9-r1847623.patch new file mode 100644 index 0000000..bcb59b1 --- /dev/null +++ b/SOURCES/mod_fcgid-2.3.9-r1847623.patch @@ -0,0 +1,16 @@ +# ./pullrev.sh 1847623 +http://svn.apache.org/viewvc?view=revision&revision=1847623 + +https://bugzilla.redhat.com/show_bug.cgi?id=1651310 + +--- mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.h ++++ mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.h +@@ -138,7 +138,7 @@ + * to limit shared memory use + */ + #define INITENV_KEY_LEN 64 +-#define INITENV_VAL_LEN 128 ++#define INITENV_VAL_LEN 256 + #define INITENV_CNT 64 + typedef struct { + char initenv_key[INITENV_CNT][INITENV_KEY_LEN]; diff --git a/SOURCES/mod_fcgid-2.3.9-r1847624.patch b/SOURCES/mod_fcgid-2.3.9-r1847624.patch new file mode 100644 index 0000000..a25f0de --- /dev/null +++ b/SOURCES/mod_fcgid-2.3.9-r1847624.patch @@ -0,0 +1,119 @@ +# ./pullrev.sh 1847624 +http://svn.apache.org/viewvc?view=revision&revision=1847624 + +https://bugzilla.redhat.com/show_bug.cgi?id=1654200 + +--- mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_unix.c ++++ mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_unix.c +@@ -762,14 +762,18 @@ + struct iovec vec[FCGID_VEC_COUNT]; + int nvec = 0; + apr_bucket *e; ++ apr_bucket_brigade *tmpbb = apr_brigade_create(output_brigade->p, ++ output_brigade->bucket_alloc); + +- for (e = APR_BRIGADE_FIRST(output_brigade); +- e != APR_BRIGADE_SENTINEL(output_brigade); +- e = APR_BUCKET_NEXT(e)) { ++ while (!APR_BRIGADE_EMPTY(output_brigade)) ++ { ++ e = APR_BRIGADE_FIRST(output_brigade); ++ + apr_size_t len; + const char* base; + + if (APR_BUCKET_IS_METADATA(e)) { ++ apr_bucket_delete(e); + continue; + } + +@@ -780,6 +784,9 @@ + return rv; + } + ++ APR_BUCKET_REMOVE(e); ++ APR_BRIGADE_INSERT_TAIL(tmpbb, e); ++ + vec[nvec].iov_len = len; + vec[nvec].iov_base = (char*) base; + if (nvec == (FCGID_VEC_COUNT - 1)) { +@@ -789,6 +796,7 @@ + FCGID_VEC_COUNT)) != APR_SUCCESS) + return rv; + nvec = 0; ++ apr_brigade_cleanup(tmpbb); + } + else + nvec++; +@@ -800,6 +808,7 @@ + return rv; + } + ++ apr_brigade_destroy(tmpbb); + return APR_SUCCESS; + } + +--- mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_win.c ++++ mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_win.c +@@ -380,19 +380,22 @@ + apr_bucket *bucket_request; + apr_status_t rv; + DWORD transferred; ++ apr_bucket_brigade *tmpbb = apr_brigade_create(birgade_send->p, ++ birgade_send->bucket_alloc); + + handle_info = (fcgid_namedpipe_handle *) ipc_handle->ipc_handle_info; + +- for (bucket_request = APR_BRIGADE_FIRST(birgade_send); +- bucket_request != APR_BRIGADE_SENTINEL(birgade_send); +- bucket_request = APR_BUCKET_NEXT(bucket_request)) +- { ++ while (!APR_BRIGADE_EMPTY(birgade_send)) { + const char *write_buf; + apr_size_t write_buf_len; + apr_size_t has_write; + +- if (APR_BUCKET_IS_METADATA(bucket_request)) ++ bucket_request = APR_BRIGADE_FIRST(birgade_send); ++ ++ if (APR_BUCKET_IS_METADATA(bucket_request)) { ++ apr_bucket_delete(bucket_request); + continue; ++ } + + if ((rv = apr_bucket_read(bucket_request, &write_buf, &write_buf_len, + APR_BLOCK_READ)) != APR_SUCCESS) { +@@ -401,6 +404,9 @@ + return rv; + } + ++ APR_BUCKET_REMOVE(bucket_request); ++ APR_BRIGADE_INSERT_TAIL(tmpbb, bucket_request); ++ + /* Write the buffer to fastcgi server */ + has_write = 0; + while (has_write < write_buf_len) { +@@ -411,6 +417,7 @@ + write_buf_len - has_write, + &byteswrite, &handle_info->overlap_write)) { + has_write += byteswrite; ++ apr_brigade_cleanup(tmpbb); + continue; + } else if ((rv = GetLastError()) != ERROR_IO_PENDING) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, +@@ -437,6 +444,7 @@ + return APR_ESPIPE; + } + has_write += transferred; ++ apr_brigade_cleanup(tmpbb); + continue; + } else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, +@@ -448,6 +456,7 @@ + } + } + ++ apr_brigade_destroy(tmpbb); + return APR_SUCCESS; + } + diff --git a/SOURCES/mod_fcgid-2.3.9-r1848298.patch b/SOURCES/mod_fcgid-2.3.9-r1848298.patch new file mode 100644 index 0000000..3f5dd93 --- /dev/null +++ b/SOURCES/mod_fcgid-2.3.9-r1848298.patch @@ -0,0 +1,87 @@ +# ./pullrev.sh 1848298 + +http://svn.apache.org/viewvc?view=revision&revision=1848298 + +https://bugzilla.redhat.com/show_bug.cgi?id=1652493 + +--- mod_fcgid-2.3.9/modules/fcgid/fcgid_bridge.c ++++ mod_fcgid-2.3.9/modules/fcgid/fcgid_bridge.c +@@ -526,7 +526,8 @@ + } + + static int add_request_body(request_rec *r, apr_pool_t *request_pool, +- apr_bucket_brigade *output_brigade) ++ apr_bucket_brigade *output_brigade, ++ apr_off_t *body_length) + { + apr_bucket *bucket_input, *bucket_header; + apr_file_t *fd = NULL; +@@ -729,22 +730,49 @@ + } + APR_BRIGADE_INSERT_TAIL(output_brigade, bucket_header); + ++ *body_length = request_size; ++ + return 0; + } + + int bridge_request(request_rec * r, int role, fcgid_cmd_conf *cmd_conf) + { +- apr_bucket_brigade *output_brigade; ++ apr_bucket_brigade *output_brigade, *body_brigade; + apr_bucket *bucket_eos; +- char **envp = ap_create_environment(r->pool, +- r->subprocess_env); ++ char **envp; + int rc; + + /* Create brigade for the request to fastcgi server */ ++ body_brigade ++ = apr_brigade_create(r->pool, r->connection->bucket_alloc); + output_brigade = + apr_brigade_create(r->pool, r->connection->bucket_alloc); + +- /* Build the begin request and environ request, append them to output_brigade */ ++ /* In responder mode, handle the request body up front to ensure ++ * the content-length is known (even if the request body is ++ * chunked) and sent in the header. */ ++ if (role == FCGI_RESPONDER) { ++ apr_off_t body_length; ++ ++ rc = add_request_body(r, r->pool, body_brigade, &body_length); ++ if (rc) { ++ return rc; ++ } ++ ++ if (body_length && !apr_table_get(r->headers_in, "Content-Length")) { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "mod_fcgid: dechunked request body length %" APR_OFF_T_FMT, ++ body_length); ++ ++ apr_table_set(r->subprocess_env, "CONTENT_LENGTH", ++ apr_off_t_toa(r->pool, body_length)); ++ apr_table_unset(r->subprocess_env, "HTTP_TRANSFER_ENCODING"); ++ } ++ } ++ ++ envp = ap_create_environment(r->pool, r->subprocess_env); ++ ++ /* Build the begin request and environ request, add them to output_brigade */ + if (!build_begin_block + (role, r, r->connection->bucket_alloc, output_brigade) + || !build_env_block(r, envp, r->connection->bucket_alloc, +@@ -754,12 +782,8 @@ + return HTTP_INTERNAL_SERVER_ERROR; + } + +- if (role == FCGI_RESPONDER) { +- rc = add_request_body(r, r->pool, output_brigade); +- if (rc) { +- return rc; +- } +- } ++ /* Append the body output. */ ++ APR_BRIGADE_CONCAT(output_brigade, body_brigade); + + /* The eos bucket now */ + bucket_eos = apr_bucket_eos_create(r->connection->bucket_alloc); diff --git a/SOURCES/mod_fcgid-2.3.9-r1848311.patch b/SOURCES/mod_fcgid-2.3.9-r1848311.patch new file mode 100644 index 0000000..181fad3 --- /dev/null +++ b/SOURCES/mod_fcgid-2.3.9-r1848311.patch @@ -0,0 +1,40 @@ +# ./pullrev.sh 1848311 +http://svn.apache.org/viewvc?view=revision&revision=1848311 + +https://bugzilla.redhat.com/show_bug.cgi?id=1655035 + +--- mod_fcgid-2.3.9/modules/fcgid/config.m4 ++++ mod_fcgid-2.3.9/modules/fcgid/config.m4 +@@ -43,6 +43,11 @@ + AC_CHECK_HEADERS(sys/mman.h) + AC_CHECK_HEADERS(sys/mutex.h) + AC_CHECK_HEADERS(sys/shm.h) ++ if test "x$enable_fcgid" = "xshared"; then ++ # The only symbol which needs to be exported is the module ++ # structure, so ask libtool to hide everything else: ++ APR_ADDTO(MOD_FCGID_LDADD, [-export-symbols-regex fcgid_module]) ++ fi + ]) + + dnl # end of module specific part +--- mod_fcgid-2.3.9/modules/fcgid/Makefile.apxs ++++ mod_fcgid-2.3.9/modules/fcgid/Makefile.apxs +@@ -16,6 +16,7 @@ + builddir=. + srcdir=. + ++MOD_FCGID_LDADD = -export-symbols-regex fcgid_module + CLEAN_TARGETS = *.loT + include $(exp_installbuilddir)/special.mk + +--- mod_fcgid-2.3.9/modules/fcgid/modules.mk.apxs ++++ mod_fcgid-2.3.9/modules/fcgid/modules.mk.apxs +@@ -17,7 +17,7 @@ + # this is used/needed by the APACHE2 build system + # + mod_fcgid.la: mod_fcgid.slo fcgid_bridge.slo fcgid_conf.slo fcgid_pm_main.slo fcgid_protocol.slo fcgid_spawn_ctl.slo fcgid_proctbl_unix.slo fcgid_pm_unix.slo fcgid_proc_unix.slo fcgid_bucket.slo fcgid_filter.slo fcgid_mutex_unix.slo +- $(SH_LINK) -rpath $(libexecdir) -module -avoid-version mod_fcgid.lo fcgid_bridge.lo fcgid_conf.lo fcgid_pm_main.lo fcgid_protocol.lo fcgid_spawn_ctl.lo fcgid_proctbl_unix.lo fcgid_pm_unix.lo fcgid_proc_unix.lo fcgid_bucket.lo fcgid_filter.lo fcgid_mutex_unix.lo ++ $(SH_LINK) -rpath $(libexecdir) -module -avoid-version mod_fcgid.lo fcgid_bridge.lo fcgid_conf.lo fcgid_pm_main.lo fcgid_protocol.lo fcgid_spawn_ctl.lo fcgid_proctbl_unix.lo fcgid_pm_unix.lo fcgid_proc_unix.lo fcgid_bucket.lo fcgid_filter.lo fcgid_mutex_unix.lo $(MOD_FCGID_LDADD) + DISTCLEAN_TARGETS = modules.mk + static = + shared = mod_fcgid.la diff --git a/SOURCES/mod_fcgid-tmpfs.conf b/SOURCES/mod_fcgid-tmpfs.conf new file mode 100644 index 0000000..d7103ba --- /dev/null +++ b/SOURCES/mod_fcgid-tmpfs.conf @@ -0,0 +1 @@ +d /run/mod_fcgid 0775 root apache diff --git a/SPECS/mod_fcgid.spec b/SPECS/mod_fcgid.spec new file mode 100644 index 0000000..0573dcb --- /dev/null +++ b/SPECS/mod_fcgid.spec @@ -0,0 +1,555 @@ +# Fedora 5, 6, and 7 versions includes SELinux policy module package +# Fedora 8 and 9 versions include policy in errata selinux-policy releases +# Fedora 10 onwards include policy in standard selinux-policy releases +# RHEL 5.5 onwards include policy in standard selinux-policy releases +%if 0%{?fedora} < 5 || 0%{?fedora} > 7 || 0%{?rhel} +%global selinux_module 0 +%global selinux_types %{nil} +%global selinux_variants %{nil} +%global selinux_buildreqs %{nil} +%else +%global selinux_module 1 +%global selinux_types %(awk '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null) +%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types}) +%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink +%endif + +# apxs script location +%{!?_httpd_apxs: %global _httpd_apxs %{_sbindir}/apxs} + +# Module Magic Number +%{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)} + +# Configuration directory +%{!?_httpd_confdir: %global _httpd_confdir %{_sysconfdir}/httpd/conf.d} + +# For httpd ≥ 2.4 we have a different filesystem layout +%if 0%{?fedora} > 17 || 0%{?rhel} > 6 +%global httpd24 1 +%global rundir /run +%else +%global httpd24 0 +%global rundir %{_localstatedir}/run +%endif + +Name: mod_fcgid +Version: 2.3.9 +Release: 16%{?dist} +Summary: FastCGI interface module for Apache 2 +Group: System Environment/Daemons +License: ASL 2.0 +URL: http://httpd.apache.org/mod_fcgid/ +Source0: http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2 +Source1: fcgid.conf +Source2: mod_fcgid-2.1-README.RPM +Source3: mod_fcgid-2.1-README.SELinux +Source4: mod_fcgid-tmpfs.conf +Source5: fcgid24.conf +Source10: fastcgi.te +Source11: fastcgi-2.5.te +Source12: fastcgi.fc +Patch0: mod_fcgid-2.3.4-fixconf-shellbang.patch +Patch1: mod_fcgid-2.3.9-r1847623.patch +Patch2: mod_fcgid-2.3.9-r1848298.patch +Patch3: mod_fcgid-2.3.9-r1847624.patch +Patch4: mod_fcgid-2.3.9-r1848311.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) +BuildRequires: httpd-devel >= 2.0, pkgconfig +Requires: httpd-mmn = %{_httpd_mmn} +# systemd-units needed for ownership of /usr/lib/tmpfiles.d directory +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +Requires: systemd-units +%endif +# Make sure that selinux-policy is sufficiently up-to-date if it's installed +# FastCGI policy properly incorporated into EL 5.5 +%if "%{?rhel}" == "5" +Conflicts: selinux-policy < 2.4.6-279.el5 +# No provide here because selinux-policy >= 2.4.6-279.el5 does the providing +Obsoletes: mod_fcgid-selinux <= %{version}-%{release} +%endif +%if "%{?fedora}" == "8" +Conflicts: selinux-policy < 3.0.8-123.fc8 +%endif +%if "%{?fedora}" == "9" +Conflicts: selinux-policy < 3.3.1-107.fc9 +%endif +%if "%{?fedora}" == "10" +Conflicts: selinux-policy < 3.5.13-8.fc10 +%endif + +%description +mod_fcgid is a binary-compatible alternative to the Apache module mod_fastcgi. +mod_fcgid has a new process management strategy, which concentrates on reducing +the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon +as possible. + +%if %{selinux_module} +%package selinux +Summary: SELinux policy module supporting FastCGI applications with mod_fcgid +Group: System Environment/Base +BuildRequires: %{selinux_buildreqs} +# selinux-policy is required for directory ownership of %%{_datadir}/selinux/* +# +# version requirement is a hack to avoid problems mixing new modules with older policy, +# e.g. http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00102.html +# _selinux_policy_version introduced in F-20 (#999584), but can be emulated by +# pulling the policy version number from the policyhelp file on older distributions +%{!?_selinux_policy_version: %global _selinux_policy_version %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp 2>/dev/null || echo 0.0.0)} +%global selinux_policynum %(echo %{_selinux_policy_version} | awk -F. '{ printf "%d%02d%02d", $1, $2, $3 }') +Requires: selinux-policy >= %{_selinux_policy_version} +Requires: %{name} = %{version}-%{release} +Requires(post): /usr/sbin/semodule, /sbin/restorecon +Requires(postun): /usr/sbin/semodule, /sbin/restorecon + +%description selinux +SELinux policy module supporting FastCGI applications with mod_fcgid. +%endif + +%prep +%setup -q +cp -p %{SOURCE1} fcgid.conf +cp -p %{SOURCE2} README.RPM +cp -p %{SOURCE3} README.SELinux +cp -p %{SOURCE5} fcgid24.conf +%if 0%{?selinux_policynum} < 20501 +cp -p %{SOURCE10} fastcgi.te +%else +cp -p %{SOURCE11} fastcgi.te +%endif +cp -p %{SOURCE12} fastcgi.fc + +# Fix shellbang in fixconf script for our location of sed +%if 0%{?fedora} < 24 && 0%{?rhel} < 8 +%patch0 -p1 +%endif +%patch1 -p1 -b .r1847623 +%patch2 -p1 -b .r1848298 +%patch3 -p1 -b .r1847624 +%patch4 -p1 -b .r1848311 + +%build +APXS=%{_httpd_apxs} ./configure.apxs +make +%if %{selinux_module} +for selinuxvariant in %{selinux_variants} +do + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile + mv fastcgi.pp fastcgi.pp.${selinuxvariant} + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean +done +%endif + +%install +rm -rf %{buildroot} +make DESTDIR=%{buildroot} MKINSTALLDIRS="mkdir -p" install +%if %{httpd24} +mkdir -p %{buildroot}{%{_httpd_confdir},%{_httpd_modconfdir}} +echo "LoadModule fcgid_module modules/mod_fcgid.so" > %{buildroot}%{_httpd_modconfdir}/10-fcgid.conf +install -D -m 644 fcgid24.conf %{buildroot}%{_httpd_confdir}/fcgid.conf +%else +install -D -m 644 fcgid.conf %{buildroot}%{_httpd_confdir}/fcgid.conf +%endif +install -d -m 755 %{buildroot}%{rundir}/mod_fcgid + +# Include the manual as %%doc, don't need it elsewhere +%if %{httpd24} +rm -rf %{buildroot}%{_httpd_contentdir}/manual +%else +rm -rf %{buildroot}%{_var}/www/manual +%endif + +# Make sure %%{rundir}/mod_fcgid exists at boot time for systems +# with %%{rundir} on tmpfs (#656625) +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +install -d -m 755 %{buildroot}%{_prefix}/lib/tmpfiles.d +install -p -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/tmpfiles.d/mod_fcgid.conf +%endif + +# Install SELinux policy modules +%if %{selinux_module} +for selinuxvariant in %{selinux_variants} +do + install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant} + install -p -m 644 fastcgi.pp.${selinuxvariant} \ + %{buildroot}%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp +done +# Hardlink identical policy module packages together +hardlink -cv %{buildroot}%{_datadir}/selinux +%endif + +%clean +rm -rf %{buildroot} + +%if %{selinux_module} +%post selinux +# Install SELinux policy modules +for selinuxvariant in %{selinux_variants} +do + /usr/sbin/semodule -s ${selinuxvariant} -i \ + %{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || : +done +# Fix up non-standard directory context from earlier packages +/sbin/restorecon -R %{rundir}/mod_fcgid || : + +%postun selinux +# Clean up after package removal +if [ $1 -eq 0 ]; then + # Remove SELinux policy modules + for selinuxvariant in %{selinux_variants}; do + /usr/sbin/semodule -s ${selinuxvariant} -r fastcgi &> /dev/null || : + done + # Clean up any remaining file contexts (shouldn't be any really) + [ -d %{rundir}/mod_fcgid ] && \ + /sbin/restorecon -R %{rundir}/mod_fcgid &> /dev/null || : +fi +exit 0 +%endif + +%files +%if 0%{?_licensedir:1} +%license LICENSE-FCGID +%else +%doc LICENSE-FCGID +%endif +# mod_fcgid.html.en is explicitly encoded as ISO-8859-1 +%doc CHANGES-FCGID NOTICE-FCGID README-FCGID STATUS-FCGID +%doc docs/manual/mod/mod_fcgid.html.en modules/fcgid/ChangeLog +%doc build/fixconf.sed +%{_libdir}/httpd/modules/mod_fcgid.so +%if %{httpd24} +%config(noreplace) %{_httpd_modconfdir}/10-fcgid.conf +%endif +%config(noreplace) %{_httpd_confdir}/fcgid.conf +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +%{_prefix}/lib/tmpfiles.d/mod_fcgid.conf +%endif +%dir %attr(0775,root,apache) %{rundir}/mod_fcgid/ + +%if %{selinux_module} +%files selinux +%doc fastcgi.fc fastcgi.te README.SELinux +%{_datadir}/selinux/*/fastcgi.pp +%endif + +%changelog +* Thu Dec 13 2018 Joe Orton - 2.3.9-16 +- restrict symbol exports in mod_fcgid.so (#1655035) + +* Mon Dec 10 2018 Joe Orton - 2.3.9-15 +- fix memory consumption for large request bodies (#1654200) + +* Fri Dec 7 2018 Joe Orton - 2.3.9-14 +- fix handling of chunked request bodies (#1656851) + +* Fri Nov 30 2018 Joe Orton - 2.3.9-13 +- increase maximum FcgidInitialEnv to 256 chars (#1651310) + +* Thu May 03 2018 Luboš Uhliarik - 2.3.9-12 +- Related: #1564219 - SELinux prevents httpd from starting when mod_fcgid + is installed + +* Tue Apr 24 2018 Luboš Uhliarik - 2.3.9-11 +- Resolves: #1564219 - SELinux prevents httpd from starting when mod_fcgid + is installed + +* Thu Aug 03 2017 Fedora Release Engineering - 2.3.9-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.3.9-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 2.3.9-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Mar 4 2016 Paul Howarth - 2.3.9-7 +- Use /usr/bin/sed rather than /bin/sed for fixconf script on modern releases +- Drop %%defattr, redundant since rpm 4.4 +- Use %%license where possible + +* Thu Feb 04 2016 Fedora Release Engineering - 2.3.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 2.3.9-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 2.3.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 2.3.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Jan 23 2014 Joe Orton 2.3.9-2 +- Fix _httpd_mmn expansion in absence of httpd-devel + +* Tue Oct 8 2013 Paul Howarth 2.3.9-1 +- Update to 2.3.9 + - SECURITY: Fix possible heap buffer overwrite (CVE-2013-4365) + - Add experimental cmake-based build system for Windows + - Correctly parse quotation and escaped spaces in FcgidWrapper and the AAA + Authenticator/Authorizor/Access directives' command line argument, as + currently documented (PR#51194) + - Honor quoted FcgidCmdOptions arguments (notably for InitialEnv + assignments) (PR#51657) + - Conform script response parsing with mod_cgid and ensure no response body + is sent when ap_meets_conditions() determines that request conditions are + met + - Improve logging in access control hook functions + - Avoid making internal sub-requests and processing Location headers when in + FCGI_AUTHORIZER mode, as the auth hook functions already treat Location + headers returned by scripts as an error since redirections are not + meaningful in this mode + - Revert fix for PR#53693, added in 2.3.8 but undocumented + - Fix issues with a minor optimization added in 2.3.8 + +* Sat Aug 03 2013 Fedora Release Engineering 2.3.7-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering 2.3.7-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jul 20 2012 Fedora Release Engineering 2.3.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 4 2012 Paul Howarth 2.3.7-4 +- Move tmpfiles.d config from %%{_sysconfdir} to %%{_prefix}/lib + +* Wed May 2 2012 Paul Howarth 2.3.7-3 +- Make %%files list more explicit + +* Wed May 2 2012 Joe Orton 2.3.7-2 +- Use 10- prefix for conf file in conf.modules.d with httpd ≥ 2.4 +- Use _httpd_confdir throughout + +* Mon Apr 23 2012 Paul Howarth 2.3.7-1 +- Update to 2.3.7 + - Introduce FcgidWin32PreventOrphans directive on Windows to use OS Job + Control Objects to terminate all running fcgi's when the worker process + has been abruptly terminated (PR: 51078) + - Periodically clean out the brigades that are pulling in the request body + for handoff to the fcgid child (PR: 51749) + - Resolve crash during graceful restarts (PR: 50309) + - Solve latency/congestion of resolving effective user file access rights + when no such info is desired, for config-related filename stats (PR: 51020) + - Fix regression in 2.3.6 that broke process controls when using + vhost-specific configuration + - Account for first process in class in the spawn score +- Drop patch for CVE-2012-1181, now included in upstream release + +* Tue Mar 27 2012 Paul Howarth 2.3.6-6 +- Fix compatibility with httpd 2.4 in F-18/RHEL-7 onwards +- Use /run rather than /var/run from F-15/RHEL-7 onwards + +* Sun Jan 22 2012 Paul Howarth 2.3.6-5 +- Fix regression in 2.3.6 that broke process controls when using vhost-specific + configuration (upstream issue 49902, #783742, CVE-2012-1181) + +* Fri Jan 6 2012 Paul Howarth 2.3.6-4 +- Nobody else likes macros for commands + +* Tue Feb 8 2011 Fedora Release Engineering 2.3.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 1 2010 Paul Howarth 2.3.6-2 +- Add /etc/tmpfiles.d/mod_fcgid.conf for builds on Fedora 15 onwards to + support running with /var/run on tmpfs (#656625) + +* Thu Nov 4 2010 Paul Howarth 2.3.6-1 +- Update to 2.3.6 (see CHANGES-FCGID for full details) + - Fix possible stack buffer overwrite (CVE-2010-3872) + - Change the default for FcgidMaxRequestLen from 1GB to 128K; administrators + should change this to an appropriate value based on site requirements + - Correct a problem that resulted in FcgidMaxProcesses being ignored in some + situations + - Return 500 instead of segfaulting when the application returns no output +- Don't include SELinux policy for RHEL-5 builds since RHEL >= 5.5 includes it +- Explicitly require /bin/sed for fixconf script + +* Tue Jun 8 2010 Paul Howarth 2.3.5-2 +- SELinux policy module not needed for RHEL-6 onwards + +* Wed Jan 27 2010 Paul Howarth 2.3.5-1 +- Update to 2.3.5 (see CHANGES-FCGID for details) +- Drop upstream svn patch + +* Wed Oct 21 2009 Paul Howarth 2.3.4-2 +- Add fixes from upstream svn for a number of issues, most notably that the + fixconf script had an error in the regexp, which resulted in a prefix of + "FcgidFcgid" on the updated directives + +* Mon Oct 12 2009 Paul Howarth 2.3.4-1 +- Update to 2.3.4 (configuration directives changed again) +- Add fixconf.sed script for config file directives update + +* Fri Sep 25 2009 Paul Howarth 2.3.1-2.20090925svn818270 +- Update to svn revision 818270 +- DESTDIR and header detection patches upstreamed +- Build SELinux policy module for EL-5; support in EL-5.3 is incomplete and + will be fixed in EL-5.5 (#519369) +- Drop aliases httpd_sys_content_r{a,o,w}_t -> httpd_fastcgi_content_r{a,o,w}_t + from pre-2.5 SElinux policy module as these types aren't defined there + +* Wed Sep 23 2009 Paul Howarth 2.3.1-1.20090923svn817978 +- Update to post-2.3.1 svn snapshot +- Upstream moved to apache.org +- License changed to ASL 2.0 +- Use FCGID-prefixed config file options (old ones deprecated) +- Lots of documentation changes +- Renumber sources +- Don't defer to mod_fastcgi if both are present +- Drop gawk buildreq +- Add patches fixing RPM build issues (DESTDIR support, header detection) + +* Sat Jul 25 2009 Fedora Release Engineering - 2.2-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue May 26 2009 Paul Howarth 2.2-12 +- Don't use /etc/httpd/run as basis of "run" directory as its DAC permissions + are not permissive enough in F-11 onwards; instead, revert to + /var/run/mod_fcgid and tweak default config accordingly (#502273) + +* Sun May 17 2009 Paul Howarth 2.2-11 +- Follow link /etc/httpd/run and make our "run" directory a subdir of wherever + that leads (#501123) + +* Mon Apr 6 2009 Paul Howarth 2.2-10 +- EL 5.3 now has SELinux support in the main selinux-policy package so handle + that release as per Fedora >= 8, except that the RHEL selinux-policy package + doesn't Obsolete/Provide mod_fcgid-selinux like the Fedora version, so do + the obsoletion here instead + +* Thu Feb 26 2009 Paul Howarth 2.2-9 +- Update documentation for MoinMoin, Rails (#476658), and SELinux + +* Wed Feb 25 2009 Fedora Release Engineering - 2.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Nov 12 2008 Paul Howarth 2.2-7 +- SELinux policy module no longer built for Fedora 8 onwards as it is + obsoleted by the main selinux-policy package +- Conflicts for selinux-policy packages older than the releases where mod_fcgid + policy was incorporated have been added for Fedora 8, 9, and 10 versions, to + ensure that SELinux support will work if installed + +* Tue Oct 21 2008 Paul Howarth 2.2-6 +- SELinux policy module rewritten to merge fastcgi and system script domains + in preparation for merge into main selinux-policy package (#462318) +- Try to determine supported SELinux policy types by reading /etc/selinux/config + +* Thu Jul 24 2008 Paul Howarth 2.2-5 +- Tweak selinux-policy version detection macro to work with current Rawhide + +* Thu Feb 14 2008 Paul Howarth 2.2-4 +- Rebuild with gcc 4.3.0 for Fedora 9 + +* Mon Jan 14 2008 Paul Howarth 2.2-3 +- Update SELinux policy to fix occasional failures on restarts + (move shared memory file into /var/run/mod_fcgid directory) + +* Thu Jan 3 2008 Paul Howarth 2.2-2 +- Update SELinux policy to support file transition to httpd_tmp_t for + temporary files + +* Fri Sep 14 2007 Paul Howarth 2.2-1 +- Update to version 2.2 +- Make sure docs are encoded as UTF-8 + +* Mon Sep 3 2007 Joe Orton 2.1-6 +- rebuild for fixed 32-bit APR (#254241) + +* Thu Aug 23 2007 Paul Howarth 2.1-5 +- Update source URL to point to downloads.sf.net rather than dl.sf.net +- Upstream released new tarball without changing version number, though the + only change was in arch/win32/fcgid_pm_win.c, which is not used to build the + RPM package +- Clarify license as GPL (unspecified/any version) +- Unexpand tabs in spec +- Add buildreq of gawk + +* Fri Aug 3 2007 Paul Howarth 2.1-4 +- Add buildreq of pkgconfig, a missing dependency of both apr-devel and + apr-util-devel on FC5 + +* Fri Jun 15 2007 Paul Howarth 2.1-3 +- Major update of SELinux policy, supporting accessing data on NFS/CIFS shares + and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP + servers +- Fix for SELinux policy on Fedora 7, which didn't work due to changes in the + permissions macros in the underlying selinux-policy package + +* Wed Mar 21 2007 Paul Howarth 2.1-2 +- Add RHEL5 with SELinux support +- Rename README.Fedora to README.RPM + +* Fri Feb 16 2007 Paul Howarth 2.1-1 +- Update to 2.1 +- Update documentation and patches +- Rename some source files to reduce chances of conflicting names +- Include SharememPath directive in conf file to avoid unfortunate upstream + default location + +* Mon Oct 30 2006 Paul Howarth 2.0-1 +- Update to 2.0 +- Source is now hosted at sourceforge.net +- Update docs + +* Wed Sep 6 2006 Paul Howarth 1.10-7 +- Include the right README* files + +* Tue Aug 29 2006 Paul Howarth 1.10-6 +- Buildreqs for FC5 now identical to buildreqs for FC6 onwards + +* Fri Jul 28 2006 Paul Howarth 1.10-5 +- Split off SELinux module into separate subpackage to avoid dependency on + the selinux-policy package for the main package + +* Fri Jul 28 2006 Paul Howarth 1.10-4 +- SELinux policy packages moved from %%{_datadir}/selinux/packages/POLICYNAME + to %%{_datadir}/selinux/POLICYNAME +- hardlink identical policy module packages together to avoid duplicate files + +* Thu Jul 20 2006 Paul Howarth 1.10-3 +- Adjust buildreqs for FC6 onwards +- Figure out where top_dir is dynamically since the /etc/httpd/build + symlink is gone in FC6 + +* Wed Jul 5 2006 Paul Howarth 1.10-2 +- SELinux policy update: allow FastCGI apps to do DNS lookups + +* Tue Jul 4 2006 Paul Howarth 1.10-1 +- Update to 1.10 +- Expand tabs to shut rpmlint up + +* Tue Jul 4 2006 Paul Howarth 1.09-10 +- SELinux policy update: + * allow httpd to read httpd_fastcgi_content_t without having the + | httpd_builtin_scripting boolean set + * allow httpd_fastcgi_script_t to read /etc/resolv.conf without + | having the httpd_can_network_connect boolean set + +* Sun Jun 18 2006 Paul Howarth 1.09-9 +- Discard output of semodule in %%postun +- Include some documentation from upstream + +* Fri Jun 9 2006 Paul Howarth 1.09-8 +- Change default context type for socket directory from var_run_t to + httpd_fastcgi_sock_t for better separation + +* Thu Jun 8 2006 Paul Howarth 1.09-7 +- Add SELinux policy module and README.Fedora +- Conflict with selinux-policy versions older than what we're built on + +* Mon May 15 2006 Paul Howarth 1.09-6 +- Instead of conflicting with mod_fastcgi, don't add the handler for .fcg etc. + if mod_fastcgi is present + +* Fri May 12 2006 Paul Howarth 1.09-5 +- Use correct handler name in fcgid.conf +- Conflict with mod_fastcgi +- Create directory %%{_localstatedir}/run/mod_fcgid for sockets + +* Thu May 11 2006 Paul Howarth 1.09-4 +- Cosmetic tweaks (personal preferences) +- Don't include INSTALL.TXT, nothing of use to end users + +* Wed May 10 2006 Thomas Antony 1.09-3 +- Initial release