I'm instaling FC5 on a server just to be used via FTP and MediaWiki.
Question:
It works fine unless SELinux is set to enforcing. How necessary is SELinux? Is there a comprenhensive guide on how to configure it for Mediawiki? Just cannot find the right info. Thanks.
SELinux isn't necessary at all per se; it is a very good security mechanism though.
Some basic information is given in the user's guide, and it links to another site with a little more info.
http://meta.wikimedia.org/wiki/MediaWiki_User%27s_Guide:_Installation
Here's what it links to:
http://codex.gallery2.org/index.php/Gallery2:Installation_on_a_SELinux_S erver
V/r,
Ryan Lane
-----Original Message----- From: mediawiki-l-bounces@Wikimedia.org [mailto:mediawiki-l- bounces@Wikimedia.org] On Behalf Of city wiki Sent: Wednesday, June 07, 2006 10:50 AM To: mediawiki-l@Wikimedia.org Subject: [Mediawiki-l] mediawiki SELinux
I'm instaling FC5 on a server just to be used via FTP and MediaWiki.
Question:
It works fine unless SELinux is set to enforcing. How necessary is SELinux? Is there a comprenhensive guide on how to configure it for Mediawiki? Just cannot find the right info. Thanks. _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Are you using MySQL for your MediaWiki database? I've found that MySQL (and probably other RDBMS brands) doesn't run when SELinux is enforcing its default policies.
If I set SELinux to "disabled" or "permissive", MySQL does work. But when it's set to "enforcing", neither the MySQL client nor the MySQL server will start.
http://bugs.mysql.com/bug.php?id=12676 gives a proposed patch to SELinux policy files to permit MySQL to run, but I haven't tried this patch.
There's a tool called "system-config-securitylevel" on FC5 that is supposed to configure SELinux. It allows you to specify certain ports, like 80 for http and 3306 for MySQL, and presumably permits incoming connections on those ports. I tried this, but it didn't seem to help. I guess SELinux does more than block ports like a firewall.
Here's an extensive FAQ on using SELinux with FC5: http://fedora.redhat.com/docs/selinux-faq-fc5/en_US/ The level of detail makes me think that it would be pretty time-consuming to learn how to administer SELinux properly.
If you have another firewall protecting your server from the outside world, it may be good enough to rely on that, and just make SELinux permissive or disabled.
Regards, Bill K.
-----Original Message----- From: mediawiki-l-bounces@Wikimedia.org [mailto:mediawiki-l-bounces@Wikimedia.org] On Behalf Of city wiki Sent: Wednesday, June 07, 2006 8:50 AM To: mediawiki-l@Wikimedia.org Subject: [Mediawiki-l] mediawiki SELinux
I'm instaling FC5 on a server just to be used via FTP and MediaWiki.
Question:
It works fine unless SELinux is set to enforcing. How necessary is SELinux? Is there a comprenhensive guide on how to configure it for Mediawiki? Just cannot find the right info. Thanks. _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Are you using MySQL for your MediaWiki database? I've found that
MySQL
(and probably other RDBMS brands) doesn't run when SELinux is enforcing its default policies.
If I set SELinux to "disabled" or "permissive", MySQL does work. But
when
it's set to "enforcing", neither the MySQL client nor the MySQL server will start.
Are you using the strict, or targeted policy? Mysqld runs just fine for me using the targeted policy. I've even gotten mediawiki working fine with SELinux enabled on both httpd and mysqld; although, I couldn't get it working using the strict policy.
If you are using the targeted policy, and still can't get mysqld running, try editing "/etc/selinux/targeted/booleans" and setting " mysqld_disable_trans=1". This disables SELinux from protecting mysqld.
There's a tool called "system-config-securitylevel" on FC5 that is supposed to configure SELinux. It allows you to specify certain ports, like 80
for
http and 3306 for MySQL, and presumably permits incoming connections
on
those ports. I tried this, but it didn't seem to help. I guess
SELinux
does more than block ports like a firewall.
Actually, this utility lets you configure your firewall *and* SELinux. SELinux is not anything like a firewall, it is role based access controls.
Notice that this utility lets you enable/disable SELinux protection for different services, and it also lets you configure how it protects services. Most of these settings are in "/etc/selinux/targeted/booleans".
One of those settings is particularly helpful if you are looking at setting up mediawiki. "httpd_unified=1" in "/etc/selinux/targeted/booleans", which is "Unify HTTPD handling of all content files". This makes SELinux less strict when checking how the httpd daemon is using files.
If you have another firewall protecting your server from the outside world, it may be good enough to rely on that, and just make SELinux
permissive or
disabled.
As the two are completely different, I wouldn't say this... I am personally wary about turning off SELinux on a system facing the internet. It definitely adds quite a bit of security to your systems.
If you are having problems getting the system up and running when using enforcing, try using permissive and keep an eye on your logs to see what SELinux doesn't like. Fix those errors, then try running in enforcing (it'll probably work then).
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org