I've just moved my personal moin wiki from mod_python to FastCGI for
performance reasons (it's well worth it!). For people that don't know,
FastCGI works by starting up one or more copies of a CGI application and
then keeping them running, passing requests from server to application
over a socket. This avoids the startup overhead of the CGI application
for each request that is necessary with regular CGI.
I needed the policy module below to get it working. I'm not sure what
exactly all of the "allows" are allowing, so advice would be welcome
(sample AVCs included).
Regarding support for FastCGI in the standard policy, perhaps
appropriate rules could be added under a boolean httpd_enable_fastcgi or
even added to the features enabled with httpd_enable_cgi?
policy_module(apache, 0.1.0)
require {
type httpd_sys_script_t;
type httpd_log_t;
type httpd_t;
type devpts_t;
type var_run_t;
};
# ==========================================================
# Needed for mod_fcgid
# ==========================================================
# This is the FastCGI application doing something to the httpd error log
# ----------------------------------------------------------------------
#type=AVC msg=audit(1147697748.197:15226): avc: denied { ioctl } for
pid=15684 comm="python" name="error_log" dev=dm-4 ino=851988
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
#type=SYSCALL msg=audit(1147697748.197:15226): arch=40000003 syscall=54
success=no exit=-25 a0=1 a1=5401 a2=bffd4cf8 a3=bffd4d38 items=0
pid=15684 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
#type=AVC_PATH msg=audit(1147697748.197:15226):
path="/var/log/httpd/error_log"
allow httpd_sys_script_t httpd_log_t:file ioctl;
# This is the FastCGI application listening for FastCGI requests on its
socket
allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr
ioctl listen };
# Not sure what this is doing
# ---------------------------
#type=AVC msg=audit(1147699050.131:15341): avc: denied { ioctl } for
pid=16705 comm="httpd" name="2" dev=devpts ino=4
scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:devpts_t:s0
tclass=chr_file
#type=SYSCALL msg=audit(1147699050.131:15341): arch=40000003 syscall=54
success=yes exit=0 a0=0 a1=5401 a2=bff4ee38 a3=bff4ee78 items=0
pid=16705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
#type=AVC_PATH msg=audit(1147699050.131:15341): path="/dev/pts/2"
allow httpd_t devpts_t:chr_file ioctl;
# perhaps it should be term_ioctl_generic_ptys(httpd_t)
# mod_fcgid setting attr of its socket dir
# ---------------------------------------- # type=AVC
msg=audit(1147697688.037:15216): avc: denied { setattr } for
pid=15656 comm="httpd" name="mod_fcgid" dev=dm-4 ino=458818
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=dir # type=SYSCALL
msg=audit(1147697688.037:15216): arch=40000003 syscall=212 success=yes
exit=0 a0=91aa148 a1=30 a2=ffffffff a3=30 items=1 pid=15656
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="httpd" exe="/usr/sbin/httpd"
# type=CWD msg=audit(1147697688.037:15216): cwd="/" # type=PATH
msg=audit(1147697688.037:15216): item=0 name="/etc/httpd/run/mod_fcgid"
flags=1 inode=458818 dev=fd:04 mode=040755 ouid=48 ogid=48 rdev=00:00
allow httpd_t var_run_t:dir setattr;
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list