SELinux/fr

Pour installer MediaWiki sur un système exécutant SELinux exécutez les étapes suivantes supplémentaires :

chcon -R -t httpd_user_content_t /path/to/mediawiki_install Après avoir construit l'extension fileinfo PHP :

chcon -t httpd_sys_script_exec_t /usr/lib/php/modules/fileinfo.so Any additional files which will be execed by apache must be httpd_user_script_exec_t (not including PHP files). Les fichiers httpd_*_script_exec_t peuvent ne pas être écrits par le processus Apache. Ideally the MediaWiki executable (PHP) files should all be set httpd_user_script_exec_t but this is not required by the current SELinux policy.

Répertoires de téléversement
Si les téléversements sont autorisés dan svotre configuration, vous pouvez rencontrer un problème de contexte à cause du répertoire tmp utilisé pendant le processus de téléversement de fichiers. Vous pouvez contourner le problème en créant un répertoire tmp dans /var/www/ au lieu d'utiliser /tmp ou le 'répertoire par défaut' pour upload_tmp_dir dans /etc/php.ini. Assurez-vous de bien passer les commandes chmod chgrp et chcon sur ce nouveau répertoire tmp.

Téléverser les images
If the MediaWiki directories were copied or moved to migrate from an old system to another system that has SELinux enabled (enforcing) then the copied/moved files and directories may not have the correct SELinux context types. If this is the case, image uploads and thumbnail creation could be prevented by SELinux enforcement even if the owner and permissions are already set correctly. The includes/GlobalFunctions.php script file (and possibly other .php files in the MediaWiki install directory) must have the SELinux context type httpd_sys_script_exec_t to permits use of the PHP function.mkdir command. Without the correct context on the script, file uploads or thumbnail creation may fail on the attempt to create a hashed directory on the server. From the wiki base install directory, check for the correct SELinux context by entering the command:

ls -Z includes/GlobalFunctions.php

If the listed SELinux security context type is not httpd_sys_script_exec_t, change it with the command:

chcon -t httpd_sys_script_exec_t includes/GlobalFunctions.php Assuming the permissions (755) and owner (usually 'apache') on the images directory are correct, the entire images directory tree must have the httpd_sys_script_rw_t SELinux context type so that scripts (.php files) running in the web server process are allowed read/write access. Vérifiez cela avec la commande :

ls -dZ images Si le type de contexte sécuritaire SELinux listé n'est pas httpd_user_rw_content_t, modifiez le avec la commande :

chcon -R -t httpd_user_rw_content_t images

Thumbnail generation may fail with error messages like ulimit: cpu time/virtual memory/file size: cannot modify limit: Permission denied. To allow this you should enable httpd_setrlimit:

setsebool -P httpd_setrlimit 1

Deboguer les journaux de connexion
If you want to store your MediaWiki wfDebug logs into a file, and have followed the How to debug page thoroughly but nothing gets written to your logging file, you might need to set the SELinux context of the logging file to httpd_sys_script_rw_t using the following command:

chcon -t httpd_sys_script_rw_t /path/to/your/debug/file

Activer InstantCommons
If you want to enable the InstantCommons feature on your wiki, and your OS implements SElinux, you should first tell Selinux to allow HTTPD scripts and modules to connect to the network. To do so, enter the following command:

getsebool -a

See what is the value of the boolean: httpd_can_network_connect. If it is set to on already, nothing needs to be done, Selinux will not prevent HTTPD scripts and modules from connecting to the network. However, if it is set to off, enter the following command line to activate it permanently:

setsebool -P httpd_can_network_connect on

The -P option means permanently. If you do not use it, the value of the boolean will be reinitialized on your next system reboot. That is it. Make sure the modification was implemented successfully by issuing getsebool -a one more time, and verifying the value was updated correctly. If that is the case, you can now enable InstantCommons successfully.

Envoyer des courriels
Emails from MediaWiki may not work at all, or you may get "Unknown error" on actions that trigger an email. You need to enable sending emails from the webserver. The following command may enable this:

setsebool -P httpd_can_sendmail on

Pygments pour SyntaxHighlight
Extension:SyntaxHighlight use a library called pygments that provides the syntax highlight. If Syntax highlight doesn't work you may need to enable execution on the pygments folder:

semanage fcontext -a -t httpd_sys_script_exec_t '/&lt;path_to_mediawiki>/extensions/SyntaxHighlight_GeSHi/pygments(/.*)?' restorecon -R -v /&lt;path_to_mediawiki>/extensions/SyntaxHighlight_GeSHi/pygments/

Autres trucs pratiques de SELinux
To find out if SELinux is enabled on your system:

getenforce

audit2allow is a perl script that interprets the selinux errors and constructs the right rules to overcome various problems.

/usr/bin/audit2allow -i /var/log/messages

It outputs the lines you need to add to your policies to permit things that are reported as failing.

In /var/log/messages you should find an id corresponding to the selinux error that occurred.

sealert -l &lt;id>

will give more information. One possible source of error is that you copied the uncompressed installation files from a home directory to a system area thereby invalidating their security context. This can be addressed by a command such as....

restorecon -R -v /var/www/html/mediawiki

When all else fails, try this

man setenforce

Mise à jour des contextes de politique locale
Changes made by using chcon are only temporary, in that they will be overwritten by any subsequent action which relabels the files (e.g. restorecon, make relabel, etc). To avoid this, you can add custom context entries to your local policy using the semanage utility. These entries are stored in a separate file, file_contexts.local, which is not part of the base SELinux policy. The entries in this file always override the entries in the base policy.

For example, the following commands will label your main wiki files as httpd_user_content_t, your PHP scripts as http_user_script_exec_t, and your images directory for uploading as httpd_user_script_rw_t:

semanage fcontext -a -t httpd_user_content_t ' /path/to/mediawiki/install(/.*)?' semanage fcontext -a -t httpd_user_script_exec_t ' /path/to/mediawiki/install/.*\/php5?' semanage fcontext -a -t httpd_user_script_exec_t ' /path/to/mediawiki/install/includes/.*\.php5?' semanage fcontext -a -t httpd_user_rw_content_t ' /path/to/mediawiki/install/images(/.*)?' semanage fcontext -a -t httpd_user_rw_content_t ' /path/to/mediawiki/install/cache(/.*)?'

After running these commands, you can verify your changes by running

restorecon -R -v /path/to/mediawiki/install