Talk:SELinux

Using RedHat Enterprise Linux 4, with SELinux enabled, you need to allow mySQL certain permissions:

/usr/sbin/setsebool -P mysqld_disable_trans 1"

I don't quite understand what is does or how SELinx works yet, but mySQL doesn't work unless you do this.

Once the installation for MediaWiki begins, httpd tries to open a connection to mySQL and SELinux is not allowing it. I get this error message in /var/log/messages:

kernel: audit(1155757761.753:257): avc: denied  { connectto } for  pid=8080 comm="httpd" name="mysql.sock" scontext=root:system_r:httpd_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket

I'm not sure how to correct for this (just yet) and I don't want to disable SELinux. If anyone knows, please email me, golharam@umdnj.edu. Until then I'll look for a solution and if I find out, I'll post it here.

Setting the Context
This text was originally on Manual:Installing MediaWiki but I think it is covered by the stuff on this page. Please add it back in if it is different.

If you are running a distribution with SELinux, e.g. Fedora Core, be sure to set the context on the installation directory correctly e.g.: ls -aZ chcon -R -t httpd_sys_content_t /var/www/html/wiki

--Cneubauer 19:02, 29 August 2007 (UTC)

Better context set method?
/sbin/restorecon -R -v /var/www/html/wiki This sets the context (on centos5.1) to type: httpd_sys_content_t instead of type: httpd_user_content_t similar to how Cneubauer mentions.

Does anybody know the practical differences between the _sys_ and _user_ types? Both seem to work fine on my box. Also, I didn't have to do any tweaking for mysql, but it lives on localhost, so maybe that's the difference.

And while I'm here talking about mediawiki on SELinux, I have a problem with file uploads and ulimit causing an audit warning. Also sendmail.sendmail causes an audit warning. Haven't figured out how to fix those yet.

--sankeyl(a)colorado.edu 30 Jan 2008

A warning should be involed here
I run SELinux, but issuing these commands in an attempt to fix file uploading broke my wiki. Reverting to httpd_sys_content_t resolved this.

Pygments for SyntaxHighlight
In my judgement, the instructions related to Pygments for SyntaxHighlight are incorrect and over-broad. Specifically: Christopher.ursich (talk) 17:48, 6 August 2017 (UTC)
 * 1) My experience is that only the single file   needs to have its SELinux label changed, whereas the current instructions call for the entire  .  That did not work in my case, but label   did.  Additionally, the MediaWiki-related label seems more narrow, and therefore preferable as a lower security risk.

Updating Local Policy Contexts
Is it supposed to be .*\/php5? or should it be .*\.php5?

semanage fcontext -a -t httpd_user_content_t '/path/to/mediawiki/install(/.*)?' semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/.*\/php5?' semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/includes/.*\.php5?' semanage fcontext -a -t httpd_user_rw_content_t '/path/to/mediawiki/install/images(/.*)?' semanage fcontext -a -t httpd_user_rw_content_t '/path/to/mediawiki/install/cache(/.*)?'