| 1 |
jpp |
1.1 |
# Increment for changes |
| 2 |
|
|
module mod_fastcgi 1.0.0; |
| 3 |
|
|
|
| 4 |
|
|
require { |
| 5 |
|
|
type devpts_t; |
| 6 |
|
|
type httpd_t; |
| 7 |
|
|
type httpd_log_t; |
| 8 |
|
|
type httpd_suexec_t; |
| 9 |
|
|
type httpd_sys_script_t; |
| 10 |
|
|
type httpd_var_run_t; |
| 11 |
|
|
class chr_file { ioctl }; |
| 12 |
|
|
class dir { setattr create }; |
| 13 |
|
|
class file { ioctl }; |
| 14 |
|
|
class process { siginh rlimitinh noatsecure }; |
| 15 |
|
|
class sock_file { getattr setattr read write unlink create }; |
| 16 |
|
|
class unix_stream_socket { read write }; |
| 17 |
|
|
}; |
| 18 |
|
|
|
| 19 |
|
|
# Allow mod_fastcgi to manipulate sockets |
| 20 |
|
|
allow httpd_t httpd_var_run_t:sock_file { getattr setattr read write unlink create }; |
| 21 |
|
|
allow httpd_sys_script_t httpd_var_run_t:sock_file { getattr setattr read write unlink create }; |
| 22 |
|
|
|
| 23 |
|
|
# fastcgi is wrapped in suexec, so we need to allow some suexec stuff too |
| 24 |
|
|
allow httpd_suexec_t httpd_t:unix_stream_socket { read write }; |
| 25 |
|
|
allow httpd_suexec_t httpd_suexec_t:process { siginh rlimitinh noatsecure }; |
| 26 |
|
|
allow httpd_suexec_t httpd_sys_script_t:process { siginh rlimitinh noatsecure }; |
| 27 |
|
|
|
| 28 |
|
|
# Allow httpd to create and use files and sockets for communicating with mod_fastcgi |
| 29 |
|
|
allow httpd_t httpd_var_run_t:dir { setattr create }; |
| 30 |
|
|
|
| 31 |
|
|
# These are probably leaked file descriptors (per Atomic mod_fcgi-selinux RPM) |
| 32 |
|
|
dontaudit httpd_t devpts_t:chr_file ioctl; |
| 33 |
|
|
dontaudit httpd_sys_script_t httpd_log_t:file ioctl; |
Parent Directory
| 
Revision Log
| 
Revision Graph
