[Update 8/11/2007: Fixed some typos and added what I hope is clarifying language.]
Installing Movabletype 4 (MT4) on Red Hat Enterprise Linux 5 (RHEL5) is challenging because it runs SELinux by default. SELinux was developed by the NSA to harden linux to the point where it was secure enough for their operations. With the amount of zombied machines out there turned into unwitting spambots, anything you can do to make your machine more secure is a big plus.
A detailed explanation of SELinux is beyond the scope of this note, but the simple version is that it tightly defines which processes can access which system resources and is independently added on top of traditional unix access controls.
As this last pargraph suggests, there is a big trade-off between convenience and security. MT4 and SELinux might be thought of as being on opposite ends of that scale. MT4 endeavors to make things more convenient for users. It writes its own configuration file in a normally write protected directory (cgi-bin) and reads from read protected directories (cgi-bin, again). It allows you to download new components directly from the Internet and install them on your system (usually somewhere you designate under the web server root where you store your html files).
SELinux simply forbids all of these operations and will not let them occur. They all represent potentially large security holes that hackers can exploit.
Before we go further, I should note that I'm writing this note with the idea that readers are familiar with linux and have root access to your RHEL5 server. I'll also assume that you know how to manage non-SELinux elements of an RHEL5 server. I'll also assume that you are going to use mysql as your database.
Perhaps my biggest assumption is that you do not want to take the easy way out and just turn off SELinux.
You will have to be logged in as root to perform all of the activities described in the remainder of this note.
Get the required daemons running
RHEL5 comes with apache and mysql daemons that are off by default. You need to fire them up and set them to run on start-up using the Services tab under server administration.
Unpack the MT4 distribution
I'm going to assume that you unpacked the MT4 distribution in a subdirectory of /var/www/cgi-bin and that you have moved mt-static to the server's root html directory /var/www/html.
Configure SELinux for the daemons
By default, RHEL5 runs SELinux in targeted mode. This means that daemons like httpd and mysqld are controlled by SELinux. Users like root are not. See the RHEL5 deployment guide for details.
Now the fun begins. You can perform the following steps using either SELinux's graphical administrative interface or the the command line. Since I am writing this from home, I'm going to to illustrate the command line. First, you want to find out what SELinux is allowing mysqld and httpd to do. You achieve that by typing this:
getsebool -a
The output of this command lists all of the settings for all of the daemons running under RHEL5 and is quite lengthy. If your system is properly configured to run MT4, you'll see the following SELinux settings for httpd and mysqld amidst the command's output.
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> on
mysqld_disable_trans --> off
If you are running the getsebool command against a fresh install of RHEL5, your output will show a number of these variables set differently. You need to change them to what I have just shown to get MT4 to run. The command to do that is setsebool. For instance to set httpd_enable_cgi to on, type this:
setsebool -P httpd_enable_cgi 1
The -P option indicates that the change should be permanent and persist through reboots.
Configure SELinux for the cgi executables
It turns out that configuring daemon permissions will not do enough to make MT4 run properly under RHEL5. You need to also give the cgi scripts unrestricted permissions to do things on the file system. MT4 reads from its plugins directory (not permitted by SELinux because it is a subdirectory of the cgi-bin directory) and writes to the server's root html directory /var/www/html and subdirectories. To make it possible for MT4 to do all of this, you need to switch to MT4's root directory and type the following commands:
chcon -t httpd_unconfined_script_exec_t *.cgi
chcon -t httpd_sys_script_exec_t mt-config.cgi
The first command makes it possible for all of MT4's basic scripts to execute without restriction. The second command makes mt-config.cgi behave like a normal script without unrestricted permissions.
Setting up normal unix file permissions
Remember that SELinux is an independent security layer that is in addition to the access control elements like file permissions that you normally have in unix systems. You have to set those too for MT4 to work on RHEL5.
The apache web server daemon (httpd) runs as the user apache under the group apache. Movable Type needs to write to your web server root directory /var/www/html (where the html files are). Under the standard RHEL5 install, this directory is owned by root and so is not writeable by apache. A solution that is writeable by apache is simply to change the ownership of this directory to apache using this command:
chown -R apache.apache /var/www/html
You can then make this directory so that it is not viewable by other users using the following command:
chmod 700 /var/www/html
If you unpacked your Movable Type files in some subdirectory of the cgi-bin directory, you should have the proper standard unix permissions.
Restart your apache web server
For all of the SELinux changes to take effect, you must restart the apache daemon, achieved from the command line by typing:
apachectl stop
apachectl start
You're now ready to configure your database and access MT4 from the web
Set up an account on your mysql server for MT4 to use, and then access your installation from the web. You'll be able to use the wizard, and it will write your mt-config.cgi file if you so choose.
I'll note in passing that there is a problem getting MT's built-in CAPTCHAs to work in this setup. That appears to be an issue with the link between MT4 and its CAPTCHA-generator. It does not appear to be an SELinux issue. When I turn SELinux off and reboot, I still get the same problem.
Leave a comment