SELinux
Alternatif olarak, aşağıdaki komutlardan birini kullanarak SELinux'u yalnızca httpd için devre dışı bırakabilirsiniz, böylece bu sorunlar geliştirme sırasında bir faktör değildir:
setsebool -P httpd_disable_trans false
semodule -r httpd
semanage permissive -a httpd_t
Sistem yapılandırmanıza bağlı olarak bu komut satırlarından hangisinin uygun olduğunu belirlemeniz gerekir.
Her durumda, komuturoot
kullanıcısı olarak çalıştırmalısınız.SELinux çalıştıran bir sistemde kurulum MediaWiki için aşağıdaki ek adımlar gerçekleştirilmelidir:
chcon -R -t httpd_user_content_t /path/to/mediawiki_install
PHP dosya bilgisi uzantısını oluşturduktan sonra:
chcon -t httpd_sys_script_exec_t /usr/lib/php/modules/fileinfo.so
Apache tarafından çalıştırılacak ek dosyalar httpd_user_script_exec_t (PHP dosyaları hariç) olmalıdır. httpd_*_script_exec_t olan dosyalar apache işlemi tarafından yazılamaz. İdeal olarak, MediaWiki yürütülebilir (PHP) dosyalarının tümü httpd_user_script_exec_t olarak ayarlanmalıdır, ancak geçerli SELinux ilkesi için bu gerekli değildir.
Yükleme dizinleri
Yapılandırmanızda yüklemeler etkinleştirilirse, dosya yükleme işlemi sırasında kullanılan tmp dizini nedeniyle bir bağlam sorunuyla karşılaşabilirsiniz. Creating a tmp directory in /var/www/ instead of using /tmp or the 'default setting' for upload_tmp_dir in /etc/php.ini can get around this problem. Be sure to correctly chmod chgrp and chcon this new tmp directory.
Uploading images
If the MediaWiki directories were copied or moved to migrate from an old system to another system that has SELinux enabled (enforcing) then the copied/moved files and directories may not have the correct SELinux context types. If this is the case, image uploads and thumbnail creation could be prevented by SELinux enforcement even if the owner and permissions are already set correctly. The includes/GlobalFunctions.php script file (and possibly other .php files in the MediaWiki install directory) must have the SELinux context type httpd_sys_script_exec_t to permits use of the PHP function.mkdir command. Without the correct context on the script, file uploads or thumbnail creation may fail on the attempt to create a hashed directory on the server. From the wiki base install directory, check for the correct SELinux context by entering the command:
ls -Z includes/GlobalFunctions.php
If the listed SELinux security context type is not httpd_sys_script_exec_t, change it with the command:
chcon -t httpd_sys_script_exec_t includes/GlobalFunctions.php
Assuming the permissions (755) and owner (usually 'apache') on the images directory are correct, the entire images directory tree must have the httpd_sys_script_rw_t SELinux context type so that scripts (.php files) running in the web server process are allowed read/write access. Check this with the command:
ls -dZ images
If the listed SELinux security context type is not httpd_user_rw_content_t, change it with the command:
chcon -R -t httpd_user_rw_content_t images
Thumbnail generation may fail with error messages like ulimit: cpu time/virtual memory/file size: cannot modify limit: Permission denied. To allow this you should enable httpd_setrlimit:
setsebool -P httpd_setrlimit 1
Debug logging file
If you want to store your MediaWiki wfDebug() logs into a file, and have followed the How to debug page thoroughly but nothing gets written to your logging file, you might need to set the SELinux context of the logging file to httpd_sys_script_rw_t using the following command:
chcon -t httpd_sys_script_rw_t /path/to/your/debug/file
Enabling InstantCommons
If you want to enable the InstantCommons feature on your wiki, and your OS implements SElinux, you should first tell Selinux to allow HTTPD scripts and modules to connect to the network. To do so, enter the following command:
getsebool -a
See what is the value of the boolean: httpd_can_network_connect. If it is set to on already, nothing needs to be done, Selinux will not prevent HTTPD scripts and modules from connecting to the network. However, if it is set to off, enter the following command line to activate it permanently:
setsebool -P httpd_can_network_connect on
The -P option means permanently. If you do not use it, the value of the boolean will be reinitialized on your next system reboot.
That is it. Make sure the modification was implemented successfully by issuing getsebool -a one more time, and verifying the value was updated correctly. If that is the case, you can now enable InstantCommons successfully.
Sending emails
Emails from MediaWiki may not work at all, or you may get Unknown error on actions that trigger an email. You need to enable sending emails from the webserver. The following command may enable this:
setsebool -P httpd_can_sendmail on
Pygments for SyntaxHighlight
Extension:SyntaxHighlight use a library called pygments that provides the syntax highlight. If Syntax highlight doesn't work you may need to enable execution on the pygments folder:
semanage fcontext -a -t httpd_sys_script_exec_t '/<path_to_mediawiki>/extensions/SyntaxHighlight_GeSHi/pygments(/.*)?' restorecon -R -v /<path_to_mediawiki>/extensions/SyntaxHighlight_GeSHi/pygments/
Other handy SELinux tricks
To find out if SELinux is enabled on your system:
getenforce
audit2allow is a perl script that interprets the selinux errors and constructs the right rules to overcome various problems.
/usr/bin/audit2allow -i /var/log/messages
It outputs the lines you need to add to your policies to permit things that are reported as failing.
In /var/log/messages you should find an id corresponding to the selinux error that occurred.
sealert -l <id>
will give more information. One possible source of error is that you copied the uncompressed installation files from a home directory to a system area thereby invalidating their security context. This can be addressed by a command such as....
restorecon -R -v /var/www/html/mediawiki
When all else fails, try this
man setenforce
Updating Local Policy Contexts
Changes made by using chcon
are only temporary, in that they will be overwritten by any subsequent action which relabels the files (e.g. restorecon, semanage
, make relabel
, etc).
To avoid this, you can add custom context entries to your local policy using the semanage
utility.
These entries are stored in a separate file, file_contexts.local, which is not part of the base SELinux policy.
The entries in this file always override the entries in the base policy.
Because the final argument for semanage
is a regular expression, make sure to enclose it in double-quotes (or single quotes) to prevent the shell attempting to interpret the pattern as a globmatch and mangling the entry.
On most systems where SELinux is being used there are two different sets of types that need to be applied depending on where MediaWiki is installed and how it will be invoked.
If you are installing MediaWiki to a location like /var/www/html
where it will not be accounted to any particular real user, then you should use the system ('sys') types.
If you are installing MediaWiki to be used by a single user from their public_html
directory or similar mechanism, you should use the user types.
There are currently three (for a total of six) SELinux types that are relevant for MediaWiki installations.
httpd_(sys|user)_content_t
- for files that the web server is allowed to read and send to web browsers over the network.httpd_(sys|user)_rw_content_t
- for files and directories that the webserver is allowed to read from and write to freely.httpd_(sys|user)_script_exec_t
- for files that are scripts the webserver should be allowed to execute.
For example, the following would be appropriate for most people installing MediaWiki to a dedicated web server, using /var/www/html
for the root of the MediaWiki installation:
MEDIAWIKIROOT=/var/www/html
semanage fcontext -a -t httpd_sys_content_t "^${MEDIAWIKIROOT}(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "^${MEDIAWIKIROOT}/images(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "^${MEDIAWIKIROOT}/cache(/.*)?"
semanage fcontext -a -t httpd_sys_script_exec_t "^${MEDIAWIKIROOT}/.*\.php5?"
This stanza would be appropriate for most people installing MediaWiki to a normal user's public_html
directory for their personal use.
MEDIAWIKIROOT=/home/someuser/public_html
semanage fcontext -a -t httpd_user_content_t "^${MEDIAWIKIROOT}(/.*)?"
semanage fcontext -a -t httpd_user_rw_content_t "^${MEDIAWIKIROOT}/images(/.*)?"
semanage fcontext -a -t httpd_user_rw_content_t "^${MEDIAWIKIROOT}/cache(/.*)?"
semanage fcontext -a -t httpd_user_script_exec_t "^${MEDIAWIKIROOT}/.*\.php5?"
The semanage
utility only changes the database used to declare and assign SELinux contexts.
It does not apply these rules to any files already present in the filesystem.
Once you have declared the new context rules you must apply them to the filesystem using the restorecon
command as shown below.
The -R argument makes restorecon
work recursively, the -F argument forces the replacement of any contexts applied to files which do not match what is in the database, and the -v argument makes restorecon
show you which files it altered the contexts for so that you can verify your newly declared rules are being applied.
restorecon -RFv /path/to/mediawiki/install