Bug 195666 - Review Request: mod_fcgid
Review Request: mod_fcgid
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Michael Fleming
Fedora Package Reviews List
: Reopened
Depends On:
Blocks: FE-ACCEPT
  Show dependency treegraph
 
Reported: 2006-06-16 10:08 EDT by Paul Howarth
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-06 10:25:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Howarth 2006-06-16 10:08:22 EDT
Spec URL: http://www.city-fan.org/~paul/extras/mod_fcgid/mod_fcgid.spec
SRPM URL: http://www.city-fan.org/~paul/extras/mod_fcgid/mod_fcgid-1.09-8.fc5.src.rpm

Description:

mod_fcgid is a binary-compatible alternative to the Apache module mod_fastcgi.
mod_fcgid has a new process management strategy, which concentrates on reducing
the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon
as possible.

This package contains a loadable SELinux policy module to support its operation when built on FC5 or later. Hopefully the review process for this package will help to find any SELinux-related issues, and also reveal if there are any issues with the SELinux-related scriptlets for systems using different policies, or even with SELinux disabled. The long-term plan is to submit this policy for inclusion in the SELinux reference policy and remove it from this package.
Comment 1 Michael Fleming 2006-06-18 01:57:08 EDT
NEEDSWORK (but not much)

Review for release 8.fc5:
* RPM name is OK
* Source mod_fcgid.1.09.tar.gz is the same as upstream
* Works OK (some of my scripts aren't ready for it though. :-))
* Builds OK in mock (Core 5, i386 and x86_64)

Needs work:
* Spec file: some paths are not replaced with RPM macros
  (wiki: QAChecklist item 7)

Note from me: Your spec uses a lot of %{_rm} style expansions (rather
than plain ol' whatever-"rm"-is-in-$PATH) so this may confuse rpmlint
et. al. I personally don't have an issue with it as long as it's
readable and consistent.

* The BuildRoot must be cleaned at the beginning of %install


Notes:
* I got the following barf to console when removing the package via
  rpm -e (FC5, up-to-date targeted policy)

	[root@pong mfleming]# rpm -e mod_fcgid
	/usr/sbin/semodule: SELinux policy is not managed or store cannot be
	accessed.
	/usr/sbin/semodule: SELinux policy is not managed or store cannot be
	accessed.
	libsepol.sepol_genbools_array: boolean
	allow_httpd_fastcgi_script_anon_write no longer in policy

I do like having the policy there, mind you. I should probably do something
similar for mlmmj (which can be tricky with targeted policy out of the box)

* Would it be possible/useful to scrape the upstream documentation,
  primarily for the extra directives info?
Comment 2 Paul Howarth 2006-06-18 05:21:04 EDT
(In reply to comment #1)
> NEEDSWORK (but not much)
> 
> Review for release 8.fc5:
> * RPM name is OK
> * Source mod_fcgid.1.09.tar.gz is the same as upstream
> * Works OK (some of my scripts aren't ready for it though. :-))
> * Builds OK in mock (Core 5, i386 and x86_64)
> 
> Needs work:
> * Spec file: some paths are not replaced with RPM macros
>   (wiki: QAChecklist item 7)

I think I've got this right; paths where this package installs things to are
replaced by macros, whereas paths referring to files owned by different packages
(e.g. selinux-policy) are hardcoded. This allows the person building the package
to put things in different places by changing the macro definitions, which
wouldn't work if directory macros were used for files owned by other packages.

> Note from me: Your spec uses a lot of %{_rm} style expansions (rather
> than plain ol' whatever-"rm"-is-in-$PATH) so this may confuse rpmlint
> et. al. I personally don't have an issue with it as long as it's
> readable and consistent.

Good, as that's my preferred style that I use in all of my packages. rpmlint has
no problems expanding the macros.

> * The BuildRoot must be cleaned at the beginning of %install

It is:
%install
%{__rm} -rf %{buildroot}

> Notes:
> * I got the following barf to console when removing the package via
>   rpm -e (FC5, up-to-date targeted policy)
> 
> 	[root@pong mfleming]# rpm -e mod_fcgid
> 	/usr/sbin/semodule: SELinux policy is not managed or store cannot be
> 	accessed.
> 	/usr/sbin/semodule: SELinux policy is not managed or store cannot be
> 	accessed.
> 	libsepol.sepol_genbools_array: boolean
> 	allow_httpd_fastcgi_script_anon_write no longer in policy

I missed discarding the output of semodule in %postun; I'll fix that.

> I do like having the policy there, mind you. I should probably do something
> similar for mlmmj (which can be tricky with targeted policy out of the box)

If you need any help with that, you'll get good advice over on fedora-selinux-list.

> * Would it be possible/useful to scrape the upstream documentation,
>   primarily for the extra directives info?

I've now included a copy of the "configuration" and "documentation" pages from
the upstream website.

Updated packages (1.09-9) available here:
http://www.city-fan.org/~paul/extras/mod_fcgid/
Comment 3 Paul Howarth 2006-07-04 06:33:10 EDT
Package updated to -10:
http://www.city-fan.org/~paul/extras/mod_fcgid/

I updated the SELinux policy module to allow httpd to read
httpd_fastcgi_content_t content without having to set the
httpd_builtin_scripting boolean.
Comment 4 Paul Howarth 2006-07-04 09:50:27 EDT
A new upstream version (1.10) has been released.

I have also updated the SELinux policy to allow httpd_fastcgi_script_t to read
/etc/resolv.conf without having the httpd_can_network_connect boolean set.

Packages (1.10-1) available in usual place:
http://www.city-fan.org/~paul/extras/mod_fcgid/
Comment 5 Paul Howarth 2006-07-05 07:21:46 EDT
I have updated the SELinux policy again to allow FastCGI apps to do DNS lookups.

Packages (1.10-2) available in usual place:
http://www.city-fan.org/~paul/extras/mod_fcgid/
Comment 6 Michael Fleming 2006-07-20 05:08:14 EDT
Sorry about the time taken to knock this one over, been ill or busy or both.

- All the items I'd previously pointed out are well and truly fixed
- The SELinux module is EXTREMELY cool and much appreciated, a fair bit of
consideration has gone into it. Anything that encourages people to better
consider system security (in a sane and non-onerous manner) is a Good Thing.

Two thumbs up, APPROVED.
Comment 7 Paul Howarth 2006-07-20 11:27:11 EDT
Bug appears to have been closed by mistake.

I have some tweaks I need to make here, as the selinux-policy package has been
split into selinux-policy and selinux-policy-devel in rawhide. I'll upload a
version that builds on rawhide shortly.
Comment 8 Paul Howarth 2006-07-21 05:09:02 EDT
Update to package so that it builds in rawhide, where the /etc/httpd/build
symlink has gone, and selinux-policy-devel is required.

Packages (1.10-3) available in usual place:
http://www.city-fan.org/~paul/extras/mod_fcgid/

Could you just give this new package a try and re-approve, since this is what
I'd be importing into CVS?

As a ametter of interest, which application(s) have you tried this with?
Comment 9 Paul Howarth 2006-07-28 11:28:58 EDT
Update to package, moving SELinux policy modules from
/usr/share/selinux/packages/POLICYNAME to /usr/share/selinux/POLICYNAME now that
the Core selinux-policy (in rawhide, should be updated in FC5 with the next
update) no longer automatically tries to link all modules in this directory, and
includes the correct directory ownership.

This package version also hardlinks the policy module packages together if
they're identical, thius avoiding duplicate files.

Packages (1.10-4) available in usual place:
http://www.city-fan.org/~paul/extras/mod_fcgid/
Comment 10 Paul Howarth 2006-07-29 05:23:00 EDT
Another update. I've split the SELinux policy module off into a subpackage. This
has the benefit for people not using SELinux that the main package has no
dependency on selinux-policy, and installation time is reduced as there are no
scriptlets to run.

Packages (1.10-5) available in usual place:
http://www.city-fan.org/~paul/extras/mod_fcgid/
Comment 11 Paul Howarth 2006-08-29 11:56:10 EDT
Another update. The recent FC5 selinux-policy package update has split out a
separate selinux-policy-devel package, as per FC6. So the buildreqs are now the
same for FC5 and FC6 onwards.

Packages (1.10-6) available in usual place:
http://www.city-fan.org/~paul/extras/mod_fcgid/
Comment 12 Paul Howarth 2006-09-06 09:05:18 EDT
Given that this package was approved (Comment #6) earlier, I shall now import
and build it.
Comment 13 Paul Howarth 2006-09-06 10:25:28 EDT
 16330 (mod_fcgid): Build on target fedora-development-extras succeeded.
     Build logs may be found at
http://buildsys.fedoraproject.org/logs/fedora-development-extras/16330-mod_fcgid-1.10-7.fc6/

owners.list updated, FE6 comps entry added, FE-5 branch request made

Note You need to log in before you can comment on or make changes to this bug.