SELinux and Parosid

General support questions
thomei
Posts: 23
Joined: 2011/02/18 11:11:50
Location: New Zealand or Switzerland

SELinux and Parosid

Post by thomei » 2015/07/03 08:34:59

Hallo

we are running successfully a MediaWiki on a CentOS7 server.
Now we have to enable the VisuaEditor which needs Parsoid. On Ubuntu LTS we could run Paroid and VisualEditor successfully. But on CentOS7 it does not work.

Pasroid is set to port 8000 and starts like it should:

Code: Select all

root@dsswe7002 parsoid $ node /opt/parsoid/api/server.js &
[1] 29313
[info][master][29313] initializing 4 workers
[info][worker][29315] loading ...
[info][worker][29316] loading ...
[info][worker][29318] loading ...
[info][worker][29320] loading ...
[info][worker][29315] ready on :8000
[info][worker][29316] ready on :8000
[info][worker][29318] ready on :8000
[info][worker][29320] ready on :8000

root@dsswe7002 parsoid $
Port 8000 is open:

Code: Select all

root@dsswe7002 parsoid $ firewall-cmd --list-ports
389/udp 8000/udp 389/tcp 8000/tcp
Pasroid is installed in /opt/parsoid

Code: Select all

root@dsswe7002 parsoid $ ls -lZ
drwxrwxr--. root root system_u:object_r:usr_t:s0       api
-rw-rw-r--. root root system_u:object_r:usr_t:s0       AUTHORS.txt
-rw-rw-r--. root root system_u:object_r:usr_t:s0       COPYING.txt
-rw-rw-r--. root root system_u:object_r:usr_t:s0       doc.basicTypes.js
-rw-rw-r--. root root system_u:object_r:usr_t:s0       doc.guides.json
drwxrwxr--. root root system_u:object_r:usr_t:s0       docs
drwxrwxr--. root root system_u:object_r:usr_t:s0       guides
-rw-rw-r--. root root system_u:object_r:usr_t:s0       jsduck-conf.json
drwxrwxr--. root root system_u:object_r:usr_t:s0       lib
drwxr-xr-x. root root system_u:object_r:usr_t:s0       node_modules
-rw-rw-r--. root root system_u:object_r:usr_t:s0       package.json
-rw-rw-r--. root root system_u:object_r:usr_t:s0       README.md
drwxrwxr--. root root system_u:object_r:usr_t:s0       tests

But the VisualEditor won't start. It stops in the browser with the message:
Error loading data from server: 0: parsoidserver-http: HTTP 0. Would you like to retry?
In /var/log/audit/audit.log I can find the following events:

Code: Select all

type=AVC msg=audit(1435902829.676:13848): avc:  denied  { name_connect } for  pid=2052 comm="httpd" dest=8000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:soundd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1435902829.676:13848): arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7fffc0dee9b0 a2=1c a3=0 items=0 ppid=975 pid=2052 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1435902829.676:13849): avc:  denied  { name_connect } for  pid=2052 comm="httpd" dest=8000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:soundd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1435902829.676:13849): arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7fffc0dee9b0 a2=10 a3=0 items=0 ppid=975 pid=2052 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
Which SELinux Rule is blocking Paroid/VirtualEditor?
Any idea what's wrong?

User avatar
TrevorH
Forum Moderator
Posts: 23667
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux and Parosid

Post by TrevorH » 2015/07/03 11:51:39

The AVC says it's trying to connect to port 8000 and this is not allowed. You could put selinux into permissive mode by using setenforce 0 and then try it out to see if it works. That will do 2 things: first it will confirm that it is indeed selinux stopping it from working (since it will now work) and will also generate a complete set of logs for the actions it's attempting. From those you can generate a policy that will enable the actions or solve it in a different way. For example, grep -i avc /var/log/audit/audit.log | audit2allow -M parosid then look at the generated parosid.te file to see what things it is about to allow!
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

thomei
Posts: 23
Joined: 2011/02/18 11:11:50
Location: New Zealand or Switzerland

Re: SELinux and Parosid

Post by thomei » 2015/07/03 13:34:42

Thanks for your help!

The "HTTP 0"-Error is now fixed.
I've to turn off the httpd_can_network_connect boolean and add port 8000 to http_port_t.

Now I get the following error:
Error loading data from server: 404: parsoidserver-http: HTTP 404. Would you like to retry?
But I can't find any log about it in /var/log/audit/audit.log or /var/log/httpd/error.log

Where should I look now for errors?

User avatar
TrevorH
Forum Moderator
Posts: 23667
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux and Parosid

Post by TrevorH » 2015/07/03 13:59:08

Did you put it permissive before you looked at the logs? If you don't then it will stop as soon as it hits the first error. In permissive mode the access is allowed and a complete log of everything that would have been denied is generated.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

thomei
Posts: 23
Joined: 2011/02/18 11:11:50
Location: New Zealand or Switzerland

Re: SELinux and Parosid

Post by thomei » 2015/07/06 12:42:35

Hello

Thank you very much TrevorH!
Now everything works!


To run the VisualEditor and Parsoid on a CentOS7-Server, you need to do the following.
The requirement is a working MediaWiki (min. V1.25.x) setup. (Crate a LAMP setup on CentOS 7, RHEL 7, Fedora 22, or Scientific Linux 7)

1) Become root:

Code: Select all

su -
Enter the root password

2) install node.js, npm, vim, Git and the SELinux policy python utilities:

Code: Select all

yum install nodejs npm vim-enhanced git policycoreutils-python
Confirm with "y" if asked

4) make sure you are at roots home directory:

Code: Select all

cd ~
5) Download the latest Parsoid form the Git:

Code: Select all

git clone https://gerrit.wikimedia.org/r/p/mediawiki/services/parsoid
6) Copy the Paroid to /opt:

Code: Select all

cp -rv ~/parsoid /opt/
7) Go to /opt/parsoid/

Code: Select all

cd /opt/parsoid/
8)Install Parsoid in node.js:

Code: Select all

npm install
9) Create the file /opt/parsoid/api/localsettings.js :

Code: Select all

vim /opt/parsoid/api/localsettings.js
10) press the "Insert" key and copy the following settings:

Code: Select all

'use strict';
exports.setup = function(parsoidConfig) {

        parsoidConfig.setMwApi('yourwiki', { uri: 'http://base-url-of-your-wiki.com/api.php' });

};
Change the yourwiki to a identifier that is unique for your Wiki. You'll need this key later.
Change base-url-of-your-wiki.com to the base url that the users use in the browser.
Press "ESC" followed by ":wq!" and "Enter" to save and close vim.

11) Go to /opt/

Code: Select all

cd ..
12) Set file system rights:

Code: Select all

chown -Rv root:root parsoid
...
chmod -Rv u+rw,g+r,o+r parsoid
... 
May check with: ls -l

13) Set SELinux labels on filesystem:

Code: Select all

chcon -Rv --type=system_u:object_r:usr_t:s0 parsoid
May check with: ls -Z

14) Open port 8000 in the firewall:

Code: Select all

firewall-cmd --permanent --zone=public --add-port=8000/tcp
firewall-cmd --reload
May check with: firewall-cmd --list-all | grep " ports"

15)Allow Apache to use port 8000:

Code: Select all

semanage port -m -t http_port_t -p tcp 8000
May check with: semanage port -l | grep http_port_t

16) Allow Apace use the network to contact Parsoid:

Code: Select all

setsebool httpd_can_network_connect 0
My check with: getsebool httpd_can_network_connect (should be "off")

17) create a systemd-daemon for Parsoid:

Code: Select all

vi /etc/systemd/system/parsoid.service
18) press the "Insert" key and copy the following settings:

Code: Select all

[Unit]
Description=Mediawiki Parsoid web service on node.js
Documentation=http://www.mediawiki.org/wiki/Parsoid
Wants=local-fs.target network.target
After=local-fs.target network.target

[Install]
WantedBy=multi-user.target

[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/opt/parsoid
# EnvironmentFile=-/etc/parsoid/parsoid.env
ExecStart=/usr/bin/node /opt/parsoid/api/server.js
KillMode=process
Restart=on-success
PrivateTmp=true
StandardOutput=syslog
Press "ESC" followed by ":wq!" and "Enter" to save and close vim.

19) Start the Parsoid-daemon:

Code: Select all

systemctl start parsoid.service
If the is no error message, everything should be OK.

20) Test, if Parsoid is working: Go to a users computer and open in a browser http://base-url-of-your-wiki.com:8000/_wikitext/. (Replace base-url-of-your-wiki.com to the base url that the users use in the browser.)
You should now be able to enter some Wiki-code in the form and Parsoid should render in to a correct HTML-page after a click on "Send data".

21) make sure you are at roots home directory:

Code: Select all

cd ~
22) Download the VisualEditor:

Code: Select all

git clone https://gerrit.wikimedia.org/r/p/mediawiki/extensions/VisualEditor.git
23) Download the UniversalLanguageSelector:

Code: Select all

git clone https://gerrit.wikimedia.org/r/p/mediawiki/extensions/UniversalLanguageSelector.git
24) Copy the VisualEditor to the extensions directory of your MediaWiki:

Code: Select all

cp -rV VisualEditor /var/www/your-mediawiki-installation/extensions/
Replace Media /var/www/your-mediawiki-installation with the real path.

25) Copy the UniversalLanguageSelector to the extensions directory of your MediaWiki:

Code: Select all

cp -rV UniversalLanguageSelector /var/www/your-mediawiki-installation/extensions/
Replace Media /var/www/your-mediawiki-installation with the real path.


26) Edit the Settings of your MediaWiki:

Code: Select all

vim /var/www/your-mediawiki-installation/LocalSettings.php
Replace Media /var/www/your-mediawiki-installation with the real path.

27) Go to the end of the file and enter:

Code: Select all

# UniversalLanguageSelector
require_once "$IP/extensions/UniversalLanguageSelector/UniversalLanguageSelector.php";

#VisualEditor
require_once "$IP/extensions/VisualEditor/VisualEditor.php";

// Enable by default for everybody
$wgDefaultUserOptions['visualeditor-enable'] = 1;

// Don't allow users to disable it
#$wgHiddenPrefs[] = 'visualeditor-enable';

// OPTIONAL: Enable VisualEditor's experimental code features
#$wgDefaultUserOptions['visualeditor-enable-experimental'] = 1;

// URL to the Parsoid instance
// MUST NOT end in a slash due to Parsoid bug
// Use port 8142 if you use the Debian package
$wgVisualEditorParsoidURL = 'http://base-url-of-your-wiki.com:8000';

// Interwiki prefix to pass to the Parsoid instance
// Parsoid will be called as $url/$prefix/$pagename
$wgVisualEditorParsoidPrefix = 'yourwiki';

# Namespces for VE
$wgVisualEditorNamespaces = array_merge(
        $wgContentNamespaces,
        array( * )
);

# Timeout for HTTP requests to Parsoid in seconds
$wgVisualEditorParsoidTimeout = 200;
Change the yourwiki to a identifier that is unique for your Wiki. You must use the same identification the in step 9!
Change base-url-of-your-wiki.com to the base url that the users use in the browser.
Press "ESC" followed by ":wq!" and "Enter" to save and close vim.

28) Enable the Parsoid-daemon to start on boot time:

Code: Select all

systemctl enable parsoid.service
Should answer with:" ln -s '/etc/systemd/system/parsoid.service' '/etc/systemd/system/multi-user.target.wants/parsoid.service'"

That's it!

It should work on CentOS 7, RHEL 7, Fedora 22, or Scientific Linux 7...

snr
Posts: 1
Joined: 2016/08/09 06:24:43

Re: SELinux and Parosid

Post by snr » 2016/08/09 06:39:23

Hello thomei,

Thank you very much for the write up, I have a question though.

On step 9, you have mentioned "/opt/parsoid/api" but I couldn't find that directory when I downloaded the latest Parsoid form the Git mentioned in Step 5. Same directory is mentioned on step 18 to locate "server.js" but I could see it sitting under "/opt/parsoid/bin" directory.

Do I need to create the api directory manually and move the server.js over there?

Codefire
Posts: 1
Joined: 2014/12/10 21:52:32

Re: SELinux and Parosid

Post by Codefire » 2016/08/24 16:45:21

I have the same issue with the ./api directory. Altering the service file from /api/ to /bin/ didn't work.
From audit.log
type=SERVICE_START msg=audit(1472056703.030:1130884): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=parsoid comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1472056703.497:1130885): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=parsoid comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

Also my chcon command failed:
opt]# chcon -Rv --type=system_u:object_r:usr_t:s0 parsoid
changing security context of ‘parsoid/.git/refs/heads/master’
chcon: failed to set type security context component to ‘system_u:object_r:usr_t:s0’: Invalid argument
changing security context of ‘parsoid/.git/refs/heads’
chcon: failed to set type security context component to ‘system_u:object_r:usr_t:s0’: Invalid argument
changing security context of ‘parsoid/.git/refs/tags’

Not sure if they're related.

Any ideas? Thanks

User avatar
TrevorH
Forum Moderator
Posts: 23667
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux and Parosid

Post by TrevorH » 2016/08/24 20:03:50

You don't have any AVCs in your audit log (that you've showed us) so I suspect that your problem is not selinux. To confirm, as root run setenforce 0 and try again. If it works then your problem is selinux related but if it does not then it isn't.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

hunter86_bg
Posts: 1373
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELinux and Parosid

Post by hunter86_bg » 2016/08/28 10:09:58

In step 16 change it to

Code: Select all

setsebool -P
,as after a reboot - it won't work. You need it permanent.
In step 19 add

Code: Select all

systemctl daemon-reload
prior starting the service.

hananrok
Posts: 1
Joined: 2016/09/07 17:57:45

Re: SELinux and Parosid

Post by hananrok » 2016/09/07 18:12:11

Hi all,

I had the same issues as trevor, have no api directory. I look into it for a while and understand some things:
[*] Parsoid is looking for config.yaml file when it's run if there is no file it's started with default configuration. In Parsoid directory should be config.example.yaml file that you can copy instead of making new one by yourself. you should tell Parsoid to use localsettings.js in this config file (explained here: https://www.mediawiki.org/wiki/Parsoid/ ... ation_file)
[*] localsettings.js should be in the root directory of Parsoid (/opt/parsoid) or any other directory you prefer according to config.yaml configuration file you just created
[*] Make sure the "domain" in wiki configuration (/var/www/yourwiki/LocalSettings.php) and in Parsoid configuration are same and point to your server. localhost did not work for me, if you change it to the hostname of the machine it might work.

Hope it will help somebody.

Locked