wordpress file owner and permission with nginx on Centos 7 (SElinux on)

As a security tool, SElinux is great. Howere, it gives me nightmares when I setup a wordpress sites with nginx.

File owner and permission setup:

  • I set the owner of all wordpress files as MY_USER_NAME
  • I add MY_USER_NAME to nginx group
  • I set all wordpress files to group-readable and group-writable, (so that nginx can read and write)
sudo usermod -a -G nginx MY_USER_NAME

sudo chown -R MY_USER_NAME:nginx *

sudo find . -type d -exec chmod 775 {} \;
sudo find . -type f -exec chmod 664 {} \;

Problem 1: cannot upload media file
Problem 2: cannot install plugin (wordpress asks for FTP)

Fix 1:

chcon -t httpd_sys_rw_content_t html

maybe: 
sudo chcon --reference=html example.com
sudo chcon --reference=html example.com/html

When I check SElinux log with:

sudo sealert -a /var/log/audit/audit.log

I find SElinux prevents nginx/php-fpm write example.com/html.

But I did not get any warning when I start nginx. As I remember, starting Apache without this fix will fail?

Fix 2:

sudo chown -R nginx wp-content
sudo chown -R nginx wp-admin

maybe:
sudo chcon --reference=../html wp-content

I though changing the owner of wp-content should be enough, but no, it does not work. I have to change the owner of wp-admin as well.

On Fedora 25:
selinux blocks php-fpm for access of mysql port, to enable this access:

setsebool -P httpd_can_network_connect_db 1

For memcache:

setsebool -P httpd_can_network_memcache 1

More details are HERE.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s