Failed executing: /usr/local/bin/convert

« 
Previous topic
|
Install & configuration
|
Next topic
 »
Author Message

Kristian Hole

Monday 12 February 2007 9:54:59 am

Hi All,

A word of warning to all of you running recent version of Red Hat Enterprise Linux (RHEL) / Fedora. Newer RHEL has a kernel level protection mechanism called SELinux (Security Enhanced Linux). If this is installed, and you are running eZ Publish you will typically get similar errors in the debugoutput to this when trying to upload an image in the admin interface:

Failed executing: /usr/local/bin/convert '-geometry' '600x600>' 'var/plain/storage/images/media/images//9769-1-eng-GB/blah.gif' 'GIF:var/plain/storage/images/media/images/9769-1-eng-GB/blah.gif', Error: , Return: 1

This is because the default SELinux disallows PHP to run the command.

You can disable the protection by running: 

setenforce permissive

But a better solution would be to configure SELinux to work with this. Does anybody know the best way to set up SELinux to get this working?

Kristian

http://ez.no/ez_publish/documenta...tricks/show_which_templates_are_used
http://ez.no/doc/ez_publish/techn...te_operators/miscellaneous/attribute

Paul Borgermans

Monday 12 February 2007 11:20:29 am

Hi Kristian,

SELinux can be a tough beast. We should create a policy file which can be used by eZ publish based installations (fine grained control).

Alternatively (from the httpd_selinux(8) man page):

You can disable SELinux protection for the httpd daemon by executing:

    setsebool -P httpd_disable_trans 1 service httpd restart

Paul

eZ Publish, eZ Find, Solr expert consulting and training
http://twitter.com/paulborgermans

James Ward

Monday 12 February 2007 11:41:37 am

Paul,
That is exactly how I am currently getting around SELinux issues with eZ Publish. I couldn't agree more that we need an example policy to provide Apache with access to imagemagick and only the write permissions required to run eZ.

working at www.wardnet.com
blogging at www.jamesward.ca

Kristian Hole

Monday 12 February 2007 1:03:41 pm

Here is some more information:
http://codex.gallery2.org/Gallery2:Installation_on_a_SELinux_Server

Kristian

http://ez.no/ez_publish/documenta...tricks/show_which_templates_are_used
http://ez.no/doc/ez_publish/techn...te_operators/miscellaneous/attribute

Karl Latiss

Tuesday 13 February 2007 6:28:14 pm

On a default Centos 4 server install with eZ installed in /var/www/html I added the following to

/etc/selinux/targeted/src/policy/domains/misc/local.te

allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_runtime_t:file write;
allow httpd_sys_script_t httpd_sys_content_t:dir { add_name read setattr write };
allow httpd_sys_script_t httpd_sys_content_t:file { create setattr write };
allow httpd_sys_script_t self:capability { dac_override dac_read_search };
allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
allow httpd_sys_script_t httpd_tmp_t:file write;
allow httpd_sys_script_t tmp_t:lnk_file read;

which seems to be enough to make things work.

Atvert Systems
http://www.atvert.com.au
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.