Gallery2:Installation on a SELinux Server

What is SELinux?

SELinux is an additional security system available for Linux. As security concerns grows over Linux servers, this system becomes more and more used.

Linux distributions supporting SELinux:

• Fedora - Since Core 2, enabled by default since Core 3
• RedHat Enterprise Linux - Since RHEL 4
• CentOS Linux - RHEL-based distribution
• Debian - Right now, only the unstable branch
• Gentoo - See the Hardened Gentoo Project
• SuSe - Partly integrated into SuSE Linux 9.x and SLES 9
• Slackware - See this document
• Ubuntu - See this document

For the most curious of you, here are some related documents:

• A rapid overview of SELinux concepts and mechanisms
• Securing Apache with SELinux on FC3

Installing Gallery 2 on SELinux

This procedure extends the standard installation procedure. It only hints the additional steps that are required for Gallery 2 to work on a SELinux enabled server. This procedure has been tested against Fedore Core 4.

By default, SELinux will prevent Apache/PHP from writing files unless they are assigned a correct type.

For each of the following files, you will have to change their type so that they can be writable:

• config.php
• .htaccess
• g2data directory
• plugins directory (since Gallery 2.1)

Use the following command to change the SELinux type of a file to "httpd_sys_content_t"

chcon -t httpd_sys_content_t <file>

Note: If you need to change recursively the type of all files and directories contained in one directory, use the "-R" option to "chcon".

Modules using external binaries

Gallery relies on several binaries to perform actions not directly available through PHP. The most common example are the graphic toolkits (except GD) and the zipcart module. Technically speaking, Apache/PHP forks a new process to handle a specific action (resize a picture, create a ZIP archive, and so on). Althought the forked process will be running with the same UID/GID as Apache, SELinux considers thoses processes to be as CGI scripts and are not considered exactly as Apache/PHP. In fact, SELinux will prevent those processes from reading files created by Apache. In Gallery, the behaviour is that ImageMagick can not read pictures files to process thumbnails.

The solution is to modify the policy to allow this kind of actions.

Fedora Core 4

Before you start, make sure that the policy sources are installed on your server. In Fedora, they are located in the "selinux-policy-targeted-sources" package.

Proceed as described:

1. Reach the SELinux policy source directory:

   cd /etc/selinux/targeted/src/policy

2. Edit the local.te file:

   vi domains/misc/local.te

3. Then add:

   allow httpd_sys_script_t httpd_tmp_t:file { getattr read };

4. And finally, apply the modifications:

   make load

Fedora Core 5

On Fedora Core 5, they have switched to a modular policy. Please see the Fedora Core FAQ about the local.te file.

Fedora Core 6

Proceed as describe:

1 First, Make sure SELinux Policy Developement Tools are availabe on your server.

[root]#yum install selinux-policy-devel

2 Create a temporary directory and then edit the following files:

• file gallery.te

policy_module(gallery, 1.0)

require {
        type httpd_tmp_t;
        type httpd_sys_script_t;
}

allow httpd_sys_script_t httpd_tmp_t:file { getattr read };

• file gallery.if - leave it empty

• file gallery.fc - leave it empty

3 Compile

[root]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted gallery module
/usr/bin/checkmodule:  loading policy configuration from tmp/gallery.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/gallery.mod
Creating targeted gallery.pp policy package
rm tmp/gallery.mod tmp/gallery.mod.fc

4 Install

[root]#semodule -i gallery.pp