SELinux

jitterman

How does one configure SELinux to work with Vanilla forums?

jitterman

I think I have resolved this issue, at least from what I have seen so far.
The issue (I think) was the SELinux was silently preventing Vanilla Forum from creating directories. In particular, it was preventing users from uploading an avatar image, and it was preventing me from enabling plugins.

SELinux is being used by an increasing number of Linux systems to enhance security. I know for sure that it is being used on Fedora, CentOS and Redhat systems, but likely is being used on others as well.

You can see SELinux activity by running (this is a gui program so you must have the X Windows system running when you run it):

# sealerts                                                                   

The # represents the root prompt, you don't type it, instead it indicates you must be root when running the command, another way you can accomplish this is with sudo:

$ sudo sealerts

After some searching, I found that SELinux is controlled by a collection of boolean values (among other things). The ones that are important here are the ones that affect Apache (httpd). You can see them using:

# getsebool -a | grep httpd

In particular, the ones that tend to affect dynamic websites like Vanilla are:

httpd_enable_cgi --> on
httpd_unified --> on
httpd_builtin_scripting --> on

I found on my system that httpd_unified was not on, so I fixed it with:

# setsebool -P httpd_unified=1

That did it!

One more thing. I had placed the forum in a nonstandard place on my server. SELinux expects websites to be placed in /var/www, but I put it in /projects/www. Normally, SELinux would not allow webpages to be served from any place but /var/www. However, you can tell SELinux to allow pages to be served from /projects/www using:

# chcon -R --reference /var/www /projects/www

This changes the SELinux context information on /projects/www and all files and subdirectories that it contains to be the same as found on /var/www. I installed the Vanilla Forum software into /projects/www first, and then ran the command. For good measure, I ran it again after Vanilla Forum was all set up.