SELinux is an additional security system available for Linux. As security concerns grows over Linux servers, this system becomes more and more used.
Linux distributions supporting SELinux:
For the most curious of you, here are some related documents:
This procedure extends the standard installation procedure. It only hints the additional steps that are required for Gallery 2 to work on a SELinux enabled server. This procedure has been tested against Fedore Core 4.
By default, SELinux will prevent Apache/PHP from writing files unless they are assigned a correct type.
For each of the following files, you will have to change their type so that they can be writable:
Use the following command to change the SELinux type of a file to "httpd_sys_content_t"
chcon -t httpd_sys_content_t <file>
Note: If you need to change recursively the type of all files and directories contained in one directory, use the "-R" option to "chcon".
Gallery relies on several binaries to perform actions not directly available through PHP. The most common example are the graphic toolkits (except GD) and the zipcart module. Technically speaking, Apache/PHP forks a new process to handle a specific action (resize a picture, create a ZIP archive, and so on). Althought the forked process will be running with the same UID/GID as Apache, SELinux considers thoses processes to be as CGI scripts and are not considered exactly as Apache/PHP. In fact, SELinux will prevent those processes from reading files created by Apache. In Gallery, the behaviour is that ImageMagick can not read pictures files to process thumbnails.
The solution is to modify the policy to allow this kind of actions.
Before you start, make sure that the policy sources are installed on your server. In Fedora, they are located in the "selinux-policy-targeted-sources" package.
Proceed as described:
cd /etc/selinux/targeted/src/policy
vi domains/misc/local.te
allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
make load
On Fedora Core 5, they have switched to a modular policy. Please see the Fedora Core FAQ about the local.te file.
Proceed as describe:
1 First, Make sure SELinux Policy Developement Tools are availabe on your server.
[root]#yum install selinux-policy-devel
2 Create a temporary directory and then edit the following files:
policy_module(gallery, 1.0) require { type httpd_tmp_t; type httpd_sys_script_t; } allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
3 Compile
[root]# make -f /usr/share/selinux/devel/Makefile Compiling targeted gallery module /usr/bin/checkmodule: loading policy configuration from tmp/gallery.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/gallery.mod Creating targeted gallery.pp policy package rm tmp/gallery.mod tmp/gallery.mod.fc
4 Install
[root]#semodule -i gallery.pp