Configuring SELinux for WordPress

I recently installed WordPress 2.9.2 on my webservers.

Since these servers are obviously connected to the Internet, they run with SELinux enabled. This means that you cannot use the standard FTP functionality in the WordPress admin panel to manage your themes and plugins.

If you configure SELinux properly, you can enjoy the comforts of WordPress without compromising security.

By default, all files and directories under /var/www/ have the “httpd_sys_content_t” file context, which allows Apache to read all web content.

This means that you cannot use FTP to install or upgrade WordPress plugins and themes without changing the SELinux context of the relevant directories and files. Any attempt to do so from the wp-admin panel will result in an error, even if you set the directory permissions to “777” (a very bad habit, by the way!).

Ownership and Permissions

The standard Unix file ownership and permissions still applies, so we need to:

  1. Make sure that the Apache user can read all web content
  2. Make sure that your FTP account can write to the wp-content/plugins, wp-content/themes and wp-content/upgrades directories

Example 1: Single webmaster

Let’s assume that your FTP account is “webmaster“, group “webmaster“. Directory permissions can be set at 775 or 755:

  drwxrwxr-x 8 webmaster webmaster 4096 Jun 10 20:40 plugins
  drwxrwxr-x 6 webmaster webmaster 4096 Jun 10 20:40 themes
  drwxrwxr-x 2 webmaster webmaster 4096 Jun 10 20:40 upgrade

File permissions can be set at 664 or 644:

  -rw-rw-r-- 1 webmaster webmaster      Jun 10 20:40 index.php

Anyone in group “other” (including the Apache user) only has read access to the files.

Example 2: Multiple webmasters

Let’s assume that your FTP accounts are “alice” and “bob“, both member of group “webmaster“. Alice is the primary owner of the website. Directory permissions should now be set at 2775:

  drwxrwsr-x 8 alice webmaster 4096 Jun 10 20:40 plugins
  drwxrwsr-x 6 alice webmaster 4096 Jun 10 20:40 themes
  drwxrwsr-x 2 alice webmaster 4096 Jun 10 20:40 upgrade

The important thing to note here is the “Set Group ID bit” on the directory (the “2” in “2755”, shown as “s” in the directory listing). The effect of the SetGID bit is that all files created in these directories are automatically owned by group “webmaster“.

File permissions should be set at 664:

  -rw-rw-r-- 1 alice webmaster      Jun 10 20:40 index.php

This way, Alice has full access. Bob, as a member of group “webmaster“, also has full access. All other users (including the Apache user) only have read access to the files.

SELinux context

With ownership and permissions out of the way, we can now focus on the proper SELinux context. We need to:

  1. Make sure that the files are readable by the Apache server (httpd)
  2. Make sure that the files are writable by the FTP server (ftpd, more specifically vsftpd)

Files and directories can have only one SELinux context, so we need to choose a context that grants both httpd and ftpd the proper access.

A brief consultation of the relevant manual-pages, httpd_selinux(8) and ftpd_selinux(8), yields that a context of public_content_rw_t would be the most appropriate.

  cd /var/www/html/wp-content/
  chcon -R -v -t public_content_rw_t plugins/ themes/ upgrade/

This SELinux context grants read access to both Apache and vsftpd. We can enable write-access on a “per-domain” basis. In this case, we would grant write-access to the FTP server:

  setsebool -P allow_ftpd_anon_write on

That is all – you should now be able to use the FTP functionality in WordPress to manage your themes and plugins.

Questions? Remarks? Leave a comment!