Talk:SELinux

Using RedHat Enterprise Linux 4, with SELinux enabled, you need to allow mySQL certain permissions:

/usr/sbin/setsebool -P mysqld_disable_trans 1"

I don't quite understand what is does or how SELinx works yet, but mySQL doesn't work unless you do this.

Once the installation for MediaWiki begins, httpd tries to open a connection to mySQL and SELinux is not allowing it. I get this error message in /var/log/messages:

kernel: audit(1155757761.753:257): avc: denied  { connectto } for  pid=8080 comm="httpd" name="mysql.sock" scontext=root:system_r:httpd_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket

I'm not sure how to correct for this (just yet) and I don't want to disable SELinux. If anyone knows, please email me, golharam@umdnj.edu. Until then I'll look for a solution and if I find out, I'll post it here.

Setting the Context
This text was originally on Manual:Installing MediaWiki but I think it is covered by the stuff on this page. Please add it back in if it is different.

If you are running a distribution with SELinux, e.g. Fedora Core, be sure to set the context on the installation directory correctly e.g.: ls -aZ chcon -R -t httpd_sys_content_t /var/www/html/wiki

--Cneubauer 19:02, 29 August 2007 (UTC)

Better context set method?
/sbin/restorecon -R -v /var/www/html/wiki This sets the context (on centos5.1) to type: httpd_sys_content_t instead of type: httpd_user_content_t similar to how Cneubauer mentions.

Does anybody know the practical differences between the _sys_ and _user_ types? Both seem to work fine on my box. Also, I didn't have to do any tweaking for mysql, but it lives on localhost, so maybe that's the difference.

And while I'm here talking about mediawiki on SELinux, I have a problem with file uploads and ulimit causing an audit warning. Also sendmail.sendmail causes an audit warning. Haven't figured out how to fix those yet.

--sankeyl(a)colorado.edu 30 Jan 2008

A warning should be involed here
I run SELinux, but issuing these commands in an attempt to fix file uploading broke my wiki. Reverting to httpd_sys_content_t resolved this.

Pygments for SyntaxHighlight
In my judgement, the instructions related to Pygments for SyntaxHighlight are incorrect and over-broad. Specifically: Christopher.ursich (talk) 17:48, 6 August 2017 (UTC)
 * 1) My experience is that only the single file   needs to have its SELinux label changed, whereas the current instructions call for the entire   directory to be relabeled recursively.  In particular, the various Readme files should not be labeled as script-executable.
 * 2) The current instructions indicate the correct label to be  .  That did not work in my case, but label   did.  Additionally, the MediaWiki-related label seems more narrow, and therefore preferable as a lower security risk.

Updating Local Policy Contexts
Is it supposed to be .*\/php5? or should it be .*\.php5?

semanage fcontext -a -t httpd_user_content_t '/path/to/mediawiki/install(/.*)?' semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/.*\/php5?' semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/includes/.*\.php5?' semanage fcontext -a -t httpd_user_rw_content_t '/path/to/mediawiki/install/images(/.*)?' semanage fcontext -a -t httpd_user_rw_content_t '/path/to/mediawiki/install/cache(/.*)?'


 * I believe that you are correctly noticing that line 2 should be corrected to specify .  (In other words, the final backslash should instead be a dot.)
 * Cursich (talk) 00:53, 3 July 2018 (UTC)