On Wed, 2012-10-10 at 08:55 -0700, Chris Steipp wrote:
I was thinking it sounded like a chroot or mandatory access control issue. If you work out the transition rules for SELinux, please share!
Hello,
Well I finally got this working. However, I needed to create a local policy to do it. To get things working I:
1) Enabled the SELinux boolean 'httpd_ssi_exec'.
2) Based on the 'denied' records being logged by SELinux, installed the following policy:
================================================================== module mediawiki_local 1.0;
require { type httpd_tmp_t; type clamscan_exec_t; type httpd_sys_script_t; type httpd_t; type clamscan_t; class process setrlimit; class fifo_file { write getattr }; class file { read getattr open }; }
#============= clamscan_t ============== allow clamscan_t httpd_t:fifo_file { write getattr }; allow clamscan_t httpd_tmp_t:file { read getattr open };
#============= httpd_sys_script_t ============== allow httpd_sys_script_t self:process setrlimit;
#============= httpd_t ============== allow httpd_t clamscan_exec_t:file { read getattr }; ==================================================================
Other than raising the value of '$wgMaxShellMemory' in LocalSettings.php, as mentioned before, that was it.
However, I suspect that others may have different issues depending on where Mediawiki is actually installed. For example, installing it in '/home' may well require setting various SELinux attributes to allow Apache to access the wiki files. In our case I installed Mediawiki directly into '/var/www/html'. This should, and seems to have, avoided most problems with Apache running things.
John.