darkness

Somehow I have apparently managed to get it running. No doubt I’ll forget a few things along the way. I’ll say two things up front. First, read my previous entry: make sure the partition TWiki sits on is not mounted with the nosuid option. Second, O’Reilly’s SELinux book turns out to be decent enough. Probably better than a lot of the other documentation you’ll find out there. It should be dated since it’s written around FC2 apparently, but in fact I’ve found it quite applicable where it was important.

Now. I’ve got a bonus hard step for you: I’m putting TWiki in /srv/www/virtual.host.name/twiki. twiki is not under DocumentRoot (DocumentRoot being /srv/www/virtual.host.name/root).

Extract TWiki to the aforementioned directory. I used the Dakar release, BTW. Here are some excerpts from my Apache configuration, for starters:

### TWiki
ScriptAlias /twiki/bin/ /srv/www/virtual.host.name/twiki/bin/
Alias /twiki/pub/ /srv/www/virtual.host.name/twiki/pub/
<Directory /srv/www/virtual.host.name/twiki>
    Options -Indexes
</Directory>
<Directory /srv/www/virtual.host.name/twiki/bin>
    Options +ExecCGI
    SetHandler cgi-script
</Directory>
<Directory ~ "^/srv/www/virtual\.host\.name/twiki/(data|templates|lib)">
    Deny from all
</Directory>

That isn’t the whole configuration, obviously, but it is the parts that I feel are important to getting TWiki working. (Note that this isn’t using mod_perl yet, but I hope it will be in the near future.) Next we need to… modify your SELinux policy! Yay custom modifications! You’ll need to stop ignoring those e-mails from yum that indicate selinux-policy-targeted has been updated. Make sure you have selinux-policy-targeted-sources installed. cd /etc/selinux/targeted/src/policy. From there, here are the files I created:

[root@host policy]# cat types/local.te
# /srv
type srv_t, file_type, root_dir_type, sysadmfile;
[root@host policy]# cat domains/program/local.te
# Apache access to /srv.
allow { httpd_t httpd_sys_script_t } srv_t:dir { search getattr };
[root@host policy]# cat file_contexts/local.fc
/srv(/.*)?                      system_u:object_r:srv_t

Also, you’ll need to touch file_contexts/program/local.fc. Then make reload and you should get your new policy. God willing this is the policy that will be used at next boot, but I definitely haven’t tested that.

Now that we’ve got that set up, we need to set some contexts up.

chcon -t srv_t /srv
chcon -R -t httpd_sys_content_t /srv/www
chcon -R -t httpd_sys_script_rw_t /srv/www/virtual.host.name/twiki
chcon -t httpd_sys_script_exec_t /srv/www/virtual.host.name/twiki/bin/*
chcon -t httpd_sys_script_rw_t /srv/www/virtual.host.name/twiki/bin/logos
chown -R apache /srv/www/virtual.host.name/twiki
chmod -R u+w /srv/www/virtual.host.name/twiki

For installation purposes, TWiki needs everything writable. (Of course, I’m quite sure it doesn’t, but I’m kind of following install directions here.) I’m also assuming that when you extracted TWiki everything in the bin directory got set executable; if it didn’t, chmod u+x bin/* now. (In particular a few scripts like viewauth didn’t get set executable, now that I think about it.) Now hit /twiki/bin/configure in a web browser. Configure TWiki. When done, follow whatever instructions it gives you, then:

chcon -R -t httpd_sys_content_ro_t /srv/www/virtual.host.name/twiki
chcon -R -t httpd_sys_content_rw_t /srv/www/virtual.host.name/twiki/{data,pub}
chcon -t httpd_sys_script_exec_t /srv/www/virtual.host.name/twiki/bin/*
chcon -t httpd_sys_script_ro_t /srv/www/virtual.host.name/twiki/bin/logos
chown -R root /srv/www/virtual.host.name/twiki
chmod -R og-w /srv/www/virtual.host.name/twiki
chown -R apache /srv/www/virtual.host.name/twiki/{data,pub}

I chowned everything back to root just because that’s who owns everything else in /srv/www/virtual.host.name. If you have some other user, feel free to use it. What’s important is that the apache user can write to the data and pub directories in TWiki’s directory.

A final note: use of httpd_sys_content_t above is probably pure whimsy. It could (and quite possibly should) be replaced with httpd_sys_script_ro_t I’m thinking. I’m just not positive. Read the documents referenced at the end of my last entry for more information on what they do, paying special attention to the value of httpd_unified on your system (getsebool httpd_unified).