Talk:SELinux

From MediaWiki.org

Using RedHat Enterprise Linux 4, with SELinux enabled, you need to allow mySQL certain permissions:

/usr/sbin/setsebool -P mysqld_disable_trans 1"

I don't quite understand what is does or how SELinx works yet, but mySQL doesn't work unless you do this.

Once the installation for MediaWiki begins, httpd tries to open a connection to mySQL and SELinux is not allowing it. I get this error message in /var/log/messages:

kernel: audit(1155757761.753:257): avc: denied { connectto } for pid=8080 comm="httpd" name="mysql.sock" scontext=root:system_r:httpd_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket

I'm not sure how to correct for this (just yet) and I don't want to disable SELinux. If anyone knows, please email me, golharam@umdnj.edu. Until then I'll look for a solution and if I find out, I'll post it here.

[edit] Setting the Context

This text was originally on Manual:Installing MediaWiki but I think it is covered by the stuff on this page. Please add it back in if it is different.

If you are running a distribution with SELinux, e.g. Fedora Core, be sure to set the context on the installation directory correctly e.g.:
ls -aZ
chcon -R system_u:object_r:httpd_sys_content_t wiki

--Cneubauer 19:02, 29 August 2007 (UTC)

[edit] Better context set method?

/sbin/restorecon -R -v /var/www/html/wiki

This sets the context (on centos5.1) to type: httpd_sys_content_t instead of type: httpd_user_content_t similar to how Cneubauer mentions.

Does anybody know the practical differences between the _sys_ and _user_ types? Both seem to work fine on my box. Also, I didn't have to do any tweaking for mysql, but it lives on localhost, so maybe that's the difference.

And while I'm here talking about mediawiki on SELinux, I have a problem with file uploads and ulimit causing an audit warning. Also sendmail.sendmail causes an audit warning. Haven't figured out how to fix those yet.

--sankeyl(a)colorado.edu 30 Jan 2008