| 1 |
# Increment for changes |
| 2 |
module mod_fastcgi 1.0.0; |
| 3 |
|
| 4 |
require { |
| 5 |
type devpts_t; |
| 6 |
type httpd_t; |
| 7 |
type httpd_log_t; |
| 8 |
type httpd_suexec_t; |
| 9 |
type httpd_sys_script_t; |
| 10 |
type httpd_var_run_t; |
| 11 |
class chr_file { ioctl }; |
| 12 |
class dir { setattr create }; |
| 13 |
class file { ioctl }; |
| 14 |
class process { siginh rlimitinh noatsecure }; |
| 15 |
class sock_file { getattr setattr read write unlink create }; |
| 16 |
class unix_stream_socket { read write }; |
| 17 |
}; |
| 18 |
|
| 19 |
# Allow mod_fastcgi to manipulate sockets |
| 20 |
allow httpd_t httpd_var_run_t:sock_file { getattr setattr read write unlink create }; |
| 21 |
allow httpd_sys_script_t httpd_var_run_t:sock_file { getattr setattr read write unlink create }; |
| 22 |
|
| 23 |
# fastcgi is wrapped in suexec, so we need to allow some suexec stuff too |
| 24 |
allow httpd_suexec_t httpd_t:unix_stream_socket { read write }; |
| 25 |
allow httpd_suexec_t httpd_suexec_t:process { siginh rlimitinh noatsecure }; |
| 26 |
allow httpd_suexec_t httpd_sys_script_t:process { siginh rlimitinh noatsecure }; |
| 27 |
|
| 28 |
# Allow httpd to create and use files and sockets for communicating with mod_fastcgi |
| 29 |
allow httpd_t httpd_var_run_t:dir { setattr create }; |
| 30 |
|
| 31 |
# These are probably leaked file descriptors (per Atomic mod_fcgi-selinux RPM) |
| 32 |
dontaudit httpd_t devpts_t:chr_file ioctl; |
| 33 |
dontaudit httpd_sys_script_t httpd_log_t:file ioctl; |
Parent Directory
| 
Revision Log
| 
Revision Graph
