Running moin with SELinux enabled on Fedora
About this HowTo
- MoinMoin versions
- 1.9.4, possibly others
- Platforms
- Fedora Linux (tested on F16)
DISCLAIMER
There is NO WARRANTY OF ANY KIND. I don't claim that the configuration described in this Howto is safe, or adequate from a security point of view. Please review your security rules carefully before applying them.
You will find many references on the web telling you that SELinux has to be switched off to run Moin. That's not true. This Howto explains how to run Moin with SELinux enabled using the default "targeted" SELinux policy. For background information about SELinux, read the Fedora SELinux manual.
This Howto is an example based on my setup here (single Wiki, apache with mod_wsgi, and a directory structure that I am explaining below). Your setup probably differs in a few details. You will need to change your configuration accordingly.
Directory structure in this example
WIKIROOT=/var/www/moin # Wiki root, files copied from
# /usr/share/moin "data" and "underlay"
WIKISTATIC=/var/www/moin/static # Wiki static files
WIKISERVER=/var/www/moin/server # Contains WSGI script
WIKICONFIG=/var/www/moin/config # Wiki Config Files
WIKICONFIG_LOG=/var/www/moin/config/logging # Logging configuration
WIKIINDEX=/var/www/moin/index # Index files for search engine (xapian)
WIKILOG=/var/log/moin # Moin logfiles, configured in the
# logging congfiguration file
SELinux file contexts
With the directory structure above, set the file contexts as follows (see the SELinux manual and SELinux settings for Apache):
# The following two lines are only needed
# if WIKIROOT and WIKISTATIC are *not* below /var/www
# semanage fcontext -a -t httpd_sys_content_t "${WIKIROOT}(/.*)?"
# semanage fcontext -a -t httpd_sys_content_t "${WIKISTATIC}(/.*)?"
semanage fcontext -a -t httpd_sys_script_exec_t "${WIKISERVER}(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "${WIKICONFIG}(/.*)?"
semanage fcontext -a -t httpd_sys_content_t "${WIKICONFIG}/.*\.py"
semanage fcontext -a -t httpd_sys_content_t "${WIKICONFIG_LOG}(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "${WIKIROOT}/underlay(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "${WIKIROOT}/data(/.*)?"
semanage fcontext -a -t httpd_sys_content_t "${WIKIROOT}/data/plugin(/.*)*/.*\.py"
semanage fcontext -a -t httpd_sys_rw_content_t "${WIKIINDEX}(/.*)?"
semanage fcontext -a -t httpd_log_t "${WIKILOG}(/.*)?"The contexts used are:
httpd_sys_script_exec_t for the WSGI script,
httpd_sys_rw_content_t for all content that Moin must be able to write,
httpd_sys_content_t for read-only data,
httpd_log_t for log files.
httpd_sys_content_t is the default file context for everything under /var/www on Fedora. Note the directories containing python code must be read/write in order to allow writing of the python byte-compiled code (.pyc file). It's non-fatal if the byte-compiled files can't be written, but it causes annoying SELinux error messages. The commands above enable writing the byte-compiled code, while trying to protect the actual python code (.py files) from being written by an attacker.
To actually apply these file contexts, run restorecon on all affected files:
restorecon -rv /var/www/moin restorecon -rv /var/log/moin
It's good advice to run restorecon with the -n option first to check what changes would be applied.
SELinux booleans
Furthermore, you must set the following SELinux booleans with the setsebool tool:
httpd_enable_cgi=on to run cgi scripts
httpd _builtin_scrpting=on to run WSGI
httpd_can_sendmail=on to allow moin to send email notifications
httpd_can_connect_ldap=on for LDAP authentication
For example, run
setsebool -P httpd_enable_cgi=on httpd_builtin_scrpting=on
Troubleshooting
SELinux trouble shooting is a science of its own. Consult the troubleshooting section of the Fedora SELinux manual. More often than not, it will be helpful to scan /var/log/audit/audit.log for "avc: denied" messages mentioning "httpd". (That's how I came up with the configuration described in this Howto).
Todo
This Howto uses generic file contexts and booleans. It would probably be better to extend Fedora's "targeted" policy with custom rules for Moin, as it has been done for mediawiki. Wouldn't that be a great exercise for you??