Talk:SELinux

From mediawiki.org
Jump to navigation Jump to search

Using RedHat Enterprise Linux 4, with SELinux enabled, you need to allow mySQL certain permissions:

/usr/sbin/setsebool -P mysqld_disable_trans 1"

I don't quite understand what is does or how SELinx works yet, but mySQL doesn't work unless you do this.

Once the installation for MediaWiki begins, httpd tries to open a connection to mySQL and SELinux is not allowing it. I get this error message in /var/log/messages:

kernel: audit(1155757761.753:257): avc: denied { connectto } for pid=8080 comm="httpd" name="mysql.sock" scontext=root:system_r:httpd_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket

I'm not sure how to correct for this (just yet) and I don't want to disable SELinux. If anyone knows, please email me, golharam@umdnj.edu. Until then I'll look for a solution and if I find out, I'll post it here.

Setting the Context[edit]

This text was originally on Manual:Installing MediaWiki but I think it is covered by the stuff on this page. Please add it back in if it is different.

If you are running a distribution with SELinux, e.g. Fedora Core, be sure to set the context on the installation directory correctly e.g.:
ls -aZ
chcon -R -t httpd_sys_content_t /var/www/html/wiki

--Cneubauer 19:02, 29 August 2007 (UTC)

Better context set method?[edit]

/sbin/restorecon -R -v /var/www/html/wiki

This sets the context (on centos5.1) to type: httpd_sys_content_t instead of type: httpd_user_content_t similar to how Cneubauer mentions.

Does anybody know the practical differences between the _sys_ and _user_ types? Both seem to work fine on my box. Also, I didn't have to do any tweaking for mysql, but it lives on localhost, so maybe that's the difference.

And while I'm here talking about mediawiki on SELinux, I have a problem with file uploads and ulimit causing an audit warning. Also sendmail.sendmail causes an audit warning. Haven't figured out how to fix those yet.

--sankeyl(a)colorado.edu 30 Jan 2008

A warning should be involed here[edit]

I run SELinux, but issuing these commands in an attempt to fix file uploading broke my wiki. Reverting to httpd_sys_content_t resolved this.

Pygments for SyntaxHighlight[edit]

In my judgement, the instructions related to Pygments for SyntaxHighlight are incorrect and over-broad. Specifically:

  1. My experience is that only the single file /YOUR-PATH-HERE/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize needs to have its SELinux label changed, whereas the current instructions call for the entire pygments/ directory to be relabeled recursively. In particular, the various Readme files should not be labeled as script-executable.
  2. The current instructions indicate the correct label to be httpd_sys_script_exec_t. That did not work in my case, but label mediawiki_script_exec_t did. Additionally, the MediaWiki-related label seems more narrow, and therefore preferable as a lower security risk.

Christopher.ursich (talk) 17:48, 6 August 2017 (UTC)

Updating Local Policy Contexts[edit]

Is it supposed to be .*\/php5? or should it be .*\.php5?

 semanage fcontext -a -t httpd_user_content_t '''/path/to/mediawiki/install''(/.*)?'
 semanage fcontext -a -t httpd_user_script_exec_t '''/path/to/mediawiki/install''/.*\/php5?'
 semanage fcontext -a -t httpd_user_script_exec_t '''/path/to/mediawiki/install''/includes/.*\.php5?'
 semanage fcontext -a -t httpd_user_rw_content_t '''/path/to/mediawiki/install''/images(/.*)?'
 semanage fcontext -a -t httpd_user_rw_content_t '''/path/to/mediawiki/install''/cache(/.*)?'
I believe that you are correctly noticing that line 2 should be corrected to specify /path/to/mediawiki/install/.*\.php5?. (In other words, the final backslash should instead be a dot.)
Cursich (talk) 00:53, 3 July 2018 (UTC)