SElinux and WordPress on Fedora 16: Success Recipes

See also SElinux and WordPress on Fedora 16: Open Problems.

Context and Contingencies

  • The apache httpd runs as user apache:apache
  • The wordpress installation will be in /var/wordpress/blogname
  • All activity is expected to be done at user level (i.e. not as root) unless clearly stated
    • You will see explicit sudo invocations

Recipe

httpd_sys_rw_context_t

Ensure that the writable areas of the blog have the httpd_sys_rw_content label.

What happens if you don’t:

Create a semanage specification file /var/wordpress/note-to-self/spec.semanage as:

fcontext -a -f 'all files' -t httpd_sys_rw_content_t '/var/wordpress/note-to-self/.htaccess'
fcontext -a -f 'all files' -t httpd_sys_rw_content_t '/var/wordpress/note-to-self/wp-content'
fcontext -a -f 'all files' -t httpd_sys_rw_content_t '/var/wordpress/note-to-self/wp-content/blogs.dir(/.*)?'
fcontext -a -f 'all files' -t httpd_sys_rw_content_t '/var/wordpress/note-to-self/wp-content/cache(/.*)?'
fcontext -a -f 'all files' -t httpd_sys_rw_content_t '/var/wordpress/note-to-self/wp-content/plugins(/.*)?'
fcontext -a -f 'all files' -t httpd_sys_rw_content_t '/var/wordpress/note-to-self/wp-content/themes(/.*)?'
fcontext -a -f 'all files' -t httpd_sys_rw_content_t '/var/wordpress/note-to-self/wp-content/upgrade(/.*)?'
fcontext -a -f 'all files' -t httpd_sys_rw_content_t '/var/wordpress/note-to-self/wp-content/uploads(/.*)?'
fcontext -a -f 'all files' -t httpd_sys_rw_content_t '/var/wordpress/note-to-self/wp-content/wp-cache-config.php'
$ sudo semanage -i /var/wordpress/note-to-self/spec.semanage

.htaccess

Create the top-of-tree .htaccess and ensure that it has the correct ownership and permissions.

$ cd /var/wordpress/note-to-self
$ sudo touch .htaccess
$ sudo chown apache:apache .htaccess
$ sudo restorecon -v -v .htaccess

Site Recipe

$ cd /var/wordpress
$ sudo selinux/copy-context note-to-self
$ sudo restorecon -v -v note-to-self/wp-content
$ sudo restorecon -v -v -R note-to-self/wp-content/{plugins,themes,upgrade,uploads}

Notes

  1. Do not use recursive on wp-content itself
  2. The writability of wp-content itself is probed; e.g. for plugin installation.

Other’s Recipes

Leave a Reply