On Wed, 2012-10-10 at 08:55 -0700, Chris Steipp wrote:
I was thinking it sounded like a chroot or mandatory
access control
issue. If you work out the transition rules for SELinux, please share!
Hello,
Well I finally got this working. However, I needed to create a local
policy to do it. To get things working I:
1) Enabled the SELinux boolean 'httpd_ssi_exec'.
2) Based on the 'denied' records being logged by SELinux, installed the
following policy:
==================================================================
module mediawiki_local 1.0;
require {
type httpd_tmp_t;
type clamscan_exec_t;
type httpd_sys_script_t;
type httpd_t;
type clamscan_t;
class process setrlimit;
class fifo_file { write getattr };
class file { read getattr open };
}
#============= clamscan_t ==============
allow clamscan_t httpd_t:fifo_file { write getattr };
allow clamscan_t httpd_tmp_t:file { read getattr open };
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:process setrlimit;
#============= httpd_t ==============
allow httpd_t clamscan_exec_t:file { read getattr };
==================================================================
Other than raising the value of '$wgMaxShellMemory' in
LocalSettings.php, as mentioned before, that was it.
However, I suspect that others may have different issues depending on
where Mediawiki is actually installed. For example, installing it in
'/home' may well require setting various SELinux attributes to allow
Apache to access the wiki files. In our case I installed Mediawiki
directly into '/var/www/html'. This should, and seems to have, avoided
most problems with Apache running things.
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001