Talk:SELinux

From mediawiki.org
Latest comment: 1 year ago by Dagmar d'Surreal in topic Updating Local Policy Contexts

Using RedHat Enterprise Linux 4, with SELinux enabled, you need to allow mySQL certain permissions:

/usr/sbin/setsebool -P mysqld_disable_trans 1"

I don't quite understand what is does or how SELinx works yet, but mySQL doesn't work unless you do this.

Once the installation for MediaWiki begins, httpd tries to open a connection to mySQL and SELinux is not allowing it. I get this error message in /var/log/messages:

kernel: audit(1155757761.753:257): avc: denied { connectto } for pid=8080 comm="httpd" name="mysql.sock" scontext=root:system_r:httpd_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket

I'm not sure how to correct for this (just yet) and I don't want to disable SELinux. If anyone knows, please email me, golharam@umdnj.edu. Until then I'll look for a solution and if I find out, I'll post it here.

Setting the Context[edit]

This text was originally on Manual:Installing MediaWiki but I think it is covered by the stuff on this page. Please add it back in if it is different.

If you are running a distribution with SELinux, e.g. Fedora Core, be sure to set the context on the installation directory correctly e.g.:
ls -aZ
chcon -R -t httpd_sys_content_t /var/www/html/wiki

--Cneubauer 19:02, 29 August 2007 (UTC)Reply[reply]

Better context set method?[edit]

/sbin/restorecon -R -v /var/www/html/wiki

This sets the context (on centos5.1) to type: httpd_sys_content_t instead of type: httpd_user_content_t similar to how Cneubauer mentions.

Does anybody know the practical differences between the _sys_ and _user_ types? Both seem to work fine on my box. Also, I didn't have to do any tweaking for mysql, but it lives on localhost, so maybe that's the difference.

And while I'm here talking about mediawiki on SELinux, I have a problem with file uploads and ulimit causing an audit warning. Also sendmail.sendmail causes an audit warning. Haven't figured out how to fix those yet.

--sankeyl(a)colorado.edu 30 Jan 2008

A warning should be involed here[edit]

I run SELinux, but issuing these commands in an attempt to fix file uploading broke my wiki. Reverting to httpd_sys_content_t resolved this.

Pygments for SyntaxHighlight[edit]

In my judgement, the instructions related to Pygments for SyntaxHighlight are incorrect and over-broad. Specifically:

  1. My experience is that only the single file /YOUR-PATH-HERE/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize needs to have its SELinux label changed, whereas the current instructions call for the entire pygments/ directory to be relabeled recursively. In particular, the various Readme files should not be labeled as script-executable.
  2. The current instructions indicate the correct label to be httpd_sys_script_exec_t. That did not work in my case, but label mediawiki_script_exec_t did. Additionally, the MediaWiki-related label seems more narrow, and therefore preferable as a lower security risk.

Christopher.ursich (talk) 17:48, 6 August 2017 (UTC)Reply[reply]

Updating Local Policy Contexts[edit]

Is it supposed to be .*\/php5? or should it be .*\.php5?

 semanage fcontext -a -t httpd_user_content_t '''/path/to/mediawiki/install''(/.*)?'
 semanage fcontext -a -t httpd_user_script_exec_t '''/path/to/mediawiki/install''/.*\/php5?'
 semanage fcontext -a -t httpd_user_script_exec_t '''/path/to/mediawiki/install''/includes/.*\.php5?'
 semanage fcontext -a -t httpd_user_rw_content_t '''/path/to/mediawiki/install''/images(/.*)?'
 semanage fcontext -a -t httpd_user_rw_content_t '''/path/to/mediawiki/install''/cache(/.*)?'
I believe that you are correctly noticing that line 2 should be corrected to specify /path/to/mediawiki/install/.*\.php5?. (In other words, the final backslash should instead be a dot.)
Cursich (talk) 00:53, 3 July 2018 (UTC)Reply[reply]
You're right about that much, and I've just corrected it. I also threw away the entry for "/path/to/mediawiki/install/includes/.*\.php5?" because it's completely redundant and will only serve to cause confusion later. The remaining invocation will match all php scripts inside the install location--even those used by Pygments/SyntaxHighlight. Frankly, even the optional "5?" match could probably also be deleted out because 1) we're up to PHP v7 now 2) that number was only needed while systems were transitioning, 3) MediaWiki ships exactly zero files that end in ".php5" and 4) no one should be doing that anymore, seriously. The only reason I left it is that it can't exactly break anything. I also clarified what each type is doing, and split the section into two because for the majority of modern systems using SELinux the user types will not work for things in /var. (I gave it a shot yesterday on a RHEL 8 knockoff just to see if it might.) Other things that should probably have been addressed (I am trying to be gentle and not throw out the entire page) is that using chcon should be strongly discouraged. It will only cause problems in the long run, either by something like an autorelabel job destroying the chcon-applied changes, or by the silent creeping doom that is "what labels will be applied to new files created here later". I also replaced the /path/to/mediawiki/install text (which is basically never going to look good) with a simple variable. This approach is more understandable, less likely to blow up because of a typo or a misinterpretation (or mistranslation hem-hem), and gets the color syntax highlighter involved to generally improve readability. Also, this way lazy people can copy-paste and change just the variable name and be much less likely to do the horrible thing and disable SELinux because "it's too hard". There's enough semantic linkage that every reader should understand that the variable is the location of the MediaWiki files. Separate from all this, about half of the remaining page should probably be thrown out because it's not our job to teach people all about SELinux and it's all so disorganized without properly focusing on just the sebools and why/when they're needed. Audit2allow shouldn't even need a mention here becuase MediaWiki just isn't doing anything exotic enough that it should ever be needed. I'm just not feeling quite that edit-happy today. Dagmar d'Surreal (talk) 18:50, 17 September 2021 (UTC)Reply[reply]