SELinux
From MediaWiki.org
To install MediaWiki on a system running SELinux the following additional steps must be performed:
chcon -R -t httpd_user_content_t /path/to/mediawiki_install
After building the PHP fileinfo extension:
chcon -t httpd_sys_script_exec_t /usr/lib/php/modules/fileinfo.so
Any additional files which will be exec()ed by apache must be httpd_user_script_exec_t (not including PHP files). Files which are httpd_*_script_exec_t may not be written to by the apache process. Ideally the MediaWiki executable (PHP) files should all be set httpd_user_script_exec_t but this is not required by the current SELinux policy.
Contents |
[edit] Upload Directories
If uploads are enabled in your configuration, you might encounter a context problem because of the tmp directory used during the file upload process. Creating a tmp directory in /var/www/ instead of using /tmp or the 'default setting' for upload_tmp_dir in /etc/php.ini can get around this problem. Be sure to correctly chmod chgrp and chcon this new tmp directory.
[edit] Uploading Images
If a the MediaWiki directories were copied or moved to migrate from an old system to another system that has SELinux enabled (enforcing) then the copied/moved files and directories may not have the correct SELinux context types. If this is the case, image uploads and thumbnail creation could be prevented by SELinux enforcement even if the owner and permissions are already set correctly.
The includes/GlobalFunctions.php script file (and possibly other .php files in the MediaWiki install directory) must have the SELinux context type httpd_sys_script_exec_t to permits use of the PHP function.mkdir command. Without the correct context on the script, file uploads or thumbnail creation may fail on the attempt to create a hashed directory on the server. From the wiki base install directory, check for the correct SELinux context by entering the command:
ls -Z includes/GlobalFunctions.php
If the listed SELinux security context type is not httpd_sys_script_exec_t, change it with the command:
chcon -t httpd_sys_script_exec_t includes/GlobalFunctions.php
Assuming the permissions (755) and owner (usually 'apache') on the images directory are correct, the entire images directory tree must have the httpd_sys_script_rw_t SELinux context type so that scripts (.php files) running in the web server process are allowed read/write access. Check this with the command:
ls -dZ images
If the listed SELinux security context type is not httpd_sys_script_rw_t, change it with the command:
chcon -R -t httpd_sys_script_rw_t images
[edit] Other handy SELinux tricks
To find out if SELinux is enabled on your system:
getenforce
audit2allow is a perl script that interprets the selinux errors and constructs the right rules to overcome various problems.
/usr/bin/audit2allow -i /var/log/messages
It outputs the lines you need to add to your policies to permit things that are reported as failing.
In /var/log/messages you should find an id corresponding to the selinux error that occurred.
sealert -l <id>
will give more information. One possible source of error is that you copied the uncompressed installation files from a home directory to a system area thereby invalidating their security context. This can be addressed by a command such as....
restorecon -R -v /var/www/html/mediawiki
When all else fails, try this
man setenforce
[edit] Updating Local Policy Contexts
Changes made by using chcon are only temporary, in that they will be overwritten by any subsequent action which relabels the files (e.g. restorecon, make relabel, etc). To avoid this, you can add custom context entries to your local policy using the semanage utility. These entries are stored in a separate file, file_contexts.local, which is not part of the base SELinux policy. The entries in this file always override the entries in the base policy.
For example, the following commands will label your main wiki files as httpd_user_content_t, your PHP scripts as http_user_script_exec_t, and your images directory for uploading as httpd_user_script_rw_t:
semanage fcontext -a -t httpd_user_content_t '/path/to/mediawiki/install(/.*)?' semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/.*\/php5?' semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/includes/.*\.php5?' semanage fcontext -a -t httpd_user_script_rw_t '/path/to/mediawiki/install/images(/.*)?'
After running these commands, you can verify your changes by running
restorecon -R -v /path/to/mediawiki/install
