Dokuwiki will not work with selinux set to enforce

susejunky · February 17, 2026, 5:30pm

I run openSUSE Tumbleweed

Operating System: openSUSE Tumbleweed 20260214
KDE Plasma Version: 6.5.5
KDE Frameworks Version: 6.22.0
Qt Version: 6.10.2
Kernel Version: 6.18.9-1-default (64-bit)
Graphics Platform: Wayland
Graphics Processor: Intel® Iris® Xe Graphics

with SELinux enabled

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      35
#

apache and PHP is installed and apache starts on system startup

> systemctl status httpd
* apache2.service - The Apache Webserver
     Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; preset: disabled)
     Active: active (running) since Tue 2026-02-17 17:11:50 CET; 4min 28s ago
 Invocation: e2878fb194294bec92a7cb7d9e445544
   Main PID: 1342 (httpd-prefork)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6
        CPU: 160ms
     CGroup: /system.slice/apache2.service
             |-1342 /usr/sbin/httpd-prefork -DSYSCONFIG -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "I>
             |-2257 /usr/sbin/httpd-prefork -DSYSCONFIG -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "I>
             |-2258 /usr/sbin/httpd-prefork -DSYSCONFIG -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "I>
             |-2259 /usr/sbin/httpd-prefork -DSYSCONFIG -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "I>
             |-2260 /usr/sbin/httpd-prefork -DSYSCONFIG -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "I>
             `-2262 /usr/sbin/httpd-prefork -DSYSCONFIG -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "I>

Feb 17 17:11:30 SYSTEM01 systemd[1]: Starting The Apache Webserver...
Feb 17 17:11:40 SYSTEM01 start_apache2[1342]: AH00557: httpd-prefork: apr_sockaddr_info_get() failed for SYSTEM01
Feb 17 17:11:40 SYSTEM01 start_apache2[1342]: AH00558: httpd-prefork: Could not reliably determine the server's fully qualified domain name, usi>
Feb 17 17:11:50 SYSTEM01 systemd[1]: Started The Apache Webserver.
>

apache is listening to localhost only

> cat /etc/apache2/listen.conf

Listen 127.0.0.1:80


<IfDefine SSL>
        <IfDefine !NOSSL>
        <IfModule mod_ssl.c>

                Listen 127.0.0.1:443

        </IfModule>
        </IfDefine>
</IfDefine>

>

There are no SELinux-related errors after startup.

# ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts boot
<no matches>
#

Even when I access some of my self-designed WEB-pages there will be no SELinux-related errors.

However I do have dokuwiki installed and setup in /srv/www/htdocs/dokuwiki (its data comes from a backup of my servers dokuwiki).

All data in /srv/www does have system_u:object_r:httpd_sys_content_t:s0 set. But when I try to access the dokuwiki I get an error page saying

DokuWiki Setup Error

The datadir ('pages') at /srv/www/htdocs/dokuwiki/data/pages is not found, isn't accessible or writable. You should check your config and permission settings. Or maybe you want to run the installer?

and there is an SELinux error

# ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts boot
----
time->Tue Feb 17 17:34:01 2026
type=AVC msg=audit(1771346041.141:184): avc:  denied  { execmem } for  pid=2257 comm="httpd-prefork" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
#

audit2allow suggests

# ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts boot | audit2allow


#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;
#

I did

# semanage boolean --modify --on httpd_execmem

After that calling dokuwiki will still result in the error page shown above while there are no further SELinux-related errors registered.

When I set

semanage permissive -a httpd_t

I can access my dokuwiki as expected.

As I’m not familiar with SELinux at all any help would be appreciated.

Thank you.

phil524 · February 17, 2026, 7:41pm

Hello,

if dokuwiki must write in some subdirectory in /srv/www/htdocs/dokuwiki/data the context must be httpd_sys_rw_content_t
to do this you must use the next commands

# semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/htdocs/dokuwiki/data(/.*)' 
# restorecon -R -v '/srv/www/htdocs/dokuwiki/data'

before executing this verify that a directory /var/www exists.

# ls -alZd /var/www
drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 4096 sept.  4 20:23 /var/www

There is an equivalence for /srv/www defined as /var/www: you can see it via command

semanage fcontext -l | tail
[…]
/srv/www = /var/www

Hope this help
Regards
Philippe

susejunky · February 17, 2026, 8:50pm

Thank you very much for your support!

In the meantime I learned about this as well and applied

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/htdocs/dokuwiki/data(/.*)?"
restorecon -R -v /

After that I could access dokuwiki but got some new SELinux-related errors and had to set

semanage boolean --modify --on httpd_can_network_connect
semanage boolean --modify --on httpd_unified

Now dokuwiki seems to work (e.g. I can login and add/remove content) but I’m still left with a growing number of this errors

time->Tue Feb 17 21:24:10 2026
type=AVC msg=audit(1771359850.405:175): avc:  denied  { execmem } for  pid=2177 comm="httpd-prefork" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

This might be related to some plugins I have installed?

Probably I have to set /srv/www/htdocs/dokuwiki/plugins/ to httpd_sys_rw_content_t as well.

I will try and report back.

PS:
Is there a way to investigate in more detail the root of this “denied { execmem }”-error ?

rfrohl · February 17, 2026, 8:59pm

I think you installed in a location not expected by the policy. There is a rule in the file contexts:

$ semanage fcontext -l | grep httpd_sys_rw_content_t
..
/var/lib/dokuwiki(/.*)?     all files   system_u:object_r:httpd_sys_rw_content_t:s0

From that I would think you need:
$ semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/htdocs/dokuwiki(/.*)?"

Regarding

Is there a way to investigate in more detail the root of this “denied { execmem }”-error ?

There is the man page [0], but that is sparse for that boolean:

If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean.

[0] https://manpages.opensuse.org/Tumbleweed/selinux-policy-doc/httpd_selinux.8.en.html

phil524 · February 17, 2026, 9:08pm

For the booleans needed have a look at
https://discussion.fedoraproject.org/t/i-need-some-clarification-on-the-httpd-graceful-shutdown-selinux-boolean/76923

Citation[quote=“susejunky, post:3, topic:191866”]
Is there a way to investigate in more detail the root of this “denied { execmem }”-error ?
[/quote]

I had also this error
I used mostly sealert and the explanation therein
for example:
If you want to allow httpd scripts and modules execmem/execstack
then you must tell SELinux about this by enabling the ‘httpd_execmem’ boolean.
You can read ‘httpd_selinux’ man page for more details.

Take in account that when you set boolean to true you enhance the risks if you are connected to internet.

Regards
Philippe

susejunky · February 17, 2026, 9:42pm

Thank you very much for your support!

I’m not familiar with SELinux at all and was not aware that it would expect the www-data in /var/www. I just kept my www-data where I had it in the past years.

susejunky · February 17, 2026, 9:52pm

As mentioned in my first post audit2allow told me about the httpd_execmem boolean.

But I would not like to enable it for two reasons:

I’m not sure if it is really needed or if it is just a subsequent error caused by something else.
As @phil524 said it is imposing a security risk.

However with httpd_execmem set to 1 dokuwiki now runs without any SELinux-related errors.

Thank you very much to @phil524 and @rfrohl !

Now I will try to find out what won’t work when I set httpd_execmem to 0. Probably I can live without.

rfrohl · February 18, 2026, 1:26pm

Please update us if you find out details!

I had a brief look and there is a stackexchange post [0] talking about php pcre JIT. Maybe the LD_PRELOAD technique could help in your case as well?

You can also try a more advanced selinux debugging technique [1] and enable full auditing for a while. That would give you more details in the audit log. But I am not to sure that it will help in your case. But it might be not as intrusive and provide some clue.

Maybe these pointers help and provide a starting point.

[0] https://unix.stackexchange.com/questions/287831/how-to-work-out-why-apache-is-attempting-execmem
[1] https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

susejunky · February 18, 2026, 1:43pm

Actually I had seen and tried this stackexchange post before I posted here. However putting pcre.jit=0 in my php.ini did not remove the SELinux-related execmem-error.

For the time being I set httpd_execmem to 0 and will wait if it has any negative consequences on my way of using dokuwiki.

Should I run into problems I will enable full auditing. Thank you very much for pointing me at this possibility.

system · February 25, 2026, 1:43pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.